In July 2023, the Securities and Exchange Commission (SEC) adopted rules requiring companies to disclose “material cybersecurity incidents” within four days of discovering the incident, and to provide an annual update about their “cybersecurity risk management, strategy, and governance”.
The rules, which officially went into effect on September 5, 2023, affect publicly traded companies and were, as noted by Cybersecurity Dive, “designed to ensure investors and other members of the public are informed about these events in a much more timely and consistent manner.” We expand on these rules below and also offer insights on how to better protect sensitive data (hint: use a password manager!) against cyber security incidents.
Publicly traded companies and “foreign private issuers” are required to comply with the new rules.
Registrants are required to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.
The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
While the updates pertaining to cyber security risk management went into effect on September 5, SC Media notes the incident reporting portion doesn’t go live until December 18, 2023 for larger publicly traded companies. Smaller businesses are required to begin incident reporting 180 days after the December 18th deadline.
A recent Wall Street Journal article notes the following:
“The SEC gave companies discretion to determine whether a hack is material as long as the definition conforms to established case law and legislation enacted in the 1930s.
That is, information is material if a reasonable person would consider it important when making an investment decision, or if it would significantly affect existing publicly available information about a company. Any doubts should be resolved in the favor of the investor.”
In its official press release about the rules, SEC Chair Gary Gensler compared a company losing a factory in a fire to the loss of millions of files in a cybersecurity incident, noting both situations are plausibly ‘material’ to investors. But as explored in the same Wall Street Journal article, questions of materiality can be complex and materiality ambiguous. Discerning the technical impact of breaches takes time, as does determining the financial impact. According to the Wall Street Journal, the main takeaway of materiality is that the SEC wants investors to know if a cyber incident has affected a company’s financial health and performance.
Stopping all cyber security incidents is impossible. But, there are steps companies can take in order to better protect their data from internal and external threats. One of the most impactful and effective is to deploy an enterprise-wide password manager. Enforcing strong password policies for employees allows companies to establish a first line of defense against data breaches. By enabling employees to create, manage, and store strong and unique passwords in an encrypted vault, companies help guard against the proliferation of weak or reused passwords. This is important, as data points to the role insecure credentials play in facilitating cyber incidents. According to the Verizon 2023 Data Breach Investigations Report, stolen credentials accounted for initial access in 86% of web application breaches.
When used consistently, password managers offer security and transparency. They can also help prevent material breaches, empowering businesses to avoid having to file with the SEC. In offering a strategy for ‘managing material risks from cybersecurity threats’, they also better position business to make the case that they have a data breach prevention game plan in place.