The ESRS Skinny: What the European Sustainability Reporting Standards ...
Understanding the SEC Cybersecurity Rules and What They Mean for Companies
Blackhats. Virtual miscreants. Digital ne'er-do-wells. They're coming for the good stuff. And by good stuff, we mean the mountains of business information sitting in your systems and data environment. Ripe for the picking.
Thanks to rampant digitalization by way of remote work, cloud computing, IoT, crypto, and a gazillion other examples, companies are exposed to myriad susceptibilities and cybersecurity risks. This makes regulations like the SEC's recent ruling on all things cybersecurity an absolute necessity for the betterment of enterprises, investors, stakeholders, and society itself.
But what does the new SEC rule mean for you and your organization? Will you have to jump through fiery IT hoops to get and stay compliant? Well, stick around for a few minutes because we've gone through the SEC release and are about to spill the regulatory tea.
Overview of the SEC Cybersecurity Rules
We'd bet our bottom dollar you've recently received an email from a company saying your personal information was part of a data breach. How can we be so certain? Because everyone gets those emails. All the time. Cybersecurity collapses are just a part of life at this point.
Of course, we don't mean to sound flippant about it. We're just trying to point out how pervasive the issue really is, with public companies being squarely in the bull's eye for digital criminals. And as we all know, cyber attacks can be devastating, disrupting operations or compromising sensitive information like intellectual property, leading to potential financial losses and legal liabilities, not to mention damaged reputations and investor confidence.
Consequently, as the number and severity of cybersecurity risks and incidents continue to skyrocket, the SEC recognized the need for enhanced regulations to protect investors and ensure consistent, transparent disclosures for public companies.
Previous Guidance and the Need for New Rules
Before these most recent cybersecurity rules from the SEC, there was a lack of explicit disclosure requirements on cybersecurity risks and incidents in our securities laws. Although the fine folks at the US Securities and Exchange Commission issued interpretive guidance in 2011 and 2018, substantial inconsistencies remained, a fact the SEC was all too aware of.
Recognizing the ever-evolving digital landscape and ongoing challenges public companies face in disclosing material cybersecurity information, the Commission issued proposed rules in March 2022. The objective was to provide investors with clear, comparable, and decision-useful information to assess material cybersecurity risks and incidents in a timely manner.
These new rules, adopted in July 2023, build upon the existing guidance, addressing the gaps and shortcomings that made them generally ineffective. This time, we have a more standardized framework to ensure consistent disclosure practices and enhance the understanding of a registrant's cybersecurity risk management, strategy, and governance.
In short, the SEC is trying to instill confidence in investors and nurture informed decision-making, all while promoting more robust cybersecurity practices across public companies. And that's news that should put a bounce in the step of companies, investors, and stakeholders alike.
Who Does the Cybersecurity Rule Impact?
The final rule from the SEC casts an extremely wide net, impacting all SEC filers subject to the Exchange Act. This includes domestic registrants, foreign private issuers (FPIs), smaller reporting companies (SRCs), and emerging growth companies (EGCs). The bottom line – if you're an SEC filer, it's in your best interest to keep reading these sage insights.
Key Requirements of the Cybersecurity Incident Disclosure Rules
Now that we've laid the groundwork, let's roll up our sleeves and dig a little deeper into these new cybersecurity rules from the SEC. And we're going to start by looking at the two categories the cybersecurity disclosures focus on – cybersecurity incidents and cybersecurity risk management, strategy, and governance.
One of the key requirements outlined by the SEC is the disclosure of material cybersecurity incidents through the new Item 1.05 to Form 8-K (Form 6-K for FPIs). This requirement helps ensure investors and stakeholders are properly informed about significant cybersecurity events that could impact the company's operations, financial condition, or results of operations.
Note the use of the term properly informed in the previous paragraph. Obviously, timing is of the essence when it comes to cybersecurity incidents, where disclosing a crusty old incident that occurred several quarters or years ago does little good in providing timely information for a financial statement user.
That brings us to the concept of materiality. The trigger for reporting such incidents is the date a company determines a cybersecurity incident is material, not the date of the incident's discovery. This ensures companies report material incidents without unreasonable delay after they make the determination. In other words, report users are properly informed.
Sidebar – What Is a Cybersecurity Incident?
In the recent ruling, the SEC defined a cybersecurity incident as:
An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.
Note that an incident can either be deliberate or accidental. Also, in the context of the new disclosure rules, information systems include resources either owned or used by the registrant. Thus, it doesn't matter if data is cloud-based or hosted because it all falls within the ruling. To that point, a company must consider incidents that occur within their walls as well as those within third-party service providers.
Further, if a number of related occurrences occur – perhaps involving the same vulnerability – a reporting entity should consider it a cybersecurity incident under the above definition. Therefore, even if such occurrences are immaterial individually, they still fall within the incident definition if they materially affect the enterprise.
Obviously, the concept of materiality is front and center in this new ruling. In this instance, the SEC deems information material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available."
Further, the rules require a company to assess the qualitative and quantitative factors to determine the material impact of the incident on the company. Such factors read like the greatest hits of SEC disclosures – financial condition, results of operations, reputation, customer and vendor relationships, potential litigation, and regulatory consequences.
Timeline for Disclosure
Back to the notion of properly informed investors and stakeholders, the timeline for disclosing material cybersecurity incidents on Form 8-K is within four business days of determining materiality. The SEC acknowledges there may be instances where a company has incomplete information about the incident but, at the very least, still knows enough to determine materiality. In such cases, the materiality determination should not be delayed unreasonably. Again, the goal is to keep report users properly informed, and timely information is essential in that regard.
Required Disclosure Elements for Material Incidents
Companies must provide comprehensive information about an incident's nature, scope, and timing when disclosing material cybersecurity incidents. This includes a description of the incident's material aspects as well as its impact on the company, particularly concerning financial condition and results of operations.
That said, companies aren't required to disclose specific or technical details about their incident response plans or cybersecurity systems in a way that could hinder the incident's remediation. Instead, the focus should be on providing meaningful and informative disclosures without compromising the company's ability to address the incident effectively.
Put another way, instead of providing a blueprint for criminals to circumvent cybersecurity measures in the future, a company can provide transparent, accurate information to report users without giving away the cybersecurity farm. Because, as we all know, loose lips sink ships.
Similarly, the rule also includes certain national security and public safety measures. Specifically, a company can delay reporting an incident if the US Attorney General determines a substantial risk to national security or public safety may occur due to the disclosure. In these instances, the AG would notify the Commission of this determination in writing before the 8-K filing deadline.
Cybersecurity Risk Management, Strategy, and Governance
Switching to the second disclosure category, the new rule adds Item 106 to Regulation S-K, requiring companies to disclose relevant information on their cyber risk management, strategy, and governance in Form 10K. Note, FPIs disclose this information on the new Item 16K to Form 20-F.
Risk Management and Strategy Disclosure Requirements
Zeroing in on the risk management and strategy aspects of the requirement, companies must now provide disclosures that shed light on their processes for assessing, identifying, and managing any material risks stemming from cybersecurity threats. This is yet another instance where entities offer greater transparency to investors and their decision-making process by incorporating this type of information into annual reports.
Item 106 requires entities to describe their risk management processes with enough detail to give a reasonable investor a solid understanding of these processes. This description should encompass various aspects of the risk management processes, including:
- Integration of cybersecurity risk management processes into the overall risk management system
- Engagement of assessors, consultants, auditors, or third parties connected to these processes
- Identification of material risks from cybersecurity threats associated with the use of third-party service providers
- Description of any risks from cybersecurity threats – including those from previous cyber incidents – that have materially impacted or are reasonably likely to materially impact the company, including its financial condition, business strategy, or results of operations
This is an opportunity for businesses to demonstrate their proactive approach to addressing cybersecurity threats. So, if you've employed advanced technologies, engaged external experts, or developed new internal cybersecurity policies or procedures, wear it loud and proud by way of these new disclosures.
Governance Disclosure Requirements
Companies must also provide a clear picture of the Board of Directors' role in managing cybersecurity threats, including:
- Description of the board's oversight of risks from cybersecurity threats
- Identifying any specific board committees responsible for such oversight
- Processes the company uses to inform the board or relevant committees about these risks
Similarly, management's role is critical in assessing and managing cybersecurity risks. Therefore, this disclosure should address management's involvement in these processes as well, including:
- Specific roles or committees responsible for assessing and managing the risks
- The expertise of relevant individuals or committee members
- Any processes in place to inform management about cybersecurity incidents, as well as monitor prevention, detection, mitigation, and remediation efforts
Once again, this is an opportunity to showcase both the board's and management's commitment to addressing cybersecurity risks, ensuring effective oversight, and implementing robust processes. As a result, investors can assess risks, evaluate risk management practices, and feel confident in a company's ability to navigate a seriously complex cybersecurity landscape.
Before discussing effective dates, next steps, and best practices, note that you must present these new disclosures in Inline eXtensible Business Reporting Language – Inline XBRL for short. However, this particular requirement to tag disclosures in Inline XBRL doesn't take hold until a year after initial compliance with the overall disclosure requirements.
We'll make this short and sweet since you want to get to our best practices as quickly as possible.
Cybersecurity Incident reporting via Form 8-K, Form 6-K for FPIs
- SRCs - Beginning June 15, 2024
- All other registrants - December 18, 2023
Periodic reporting on cybersecurity risk management, strategy, and governance via Form 10-K, Form 20-F for FPIs
- All registrants, including SRCs – Fiscal years ending on or after December 15, 2023
Next Steps and Best Practices
So, that was a lot of information. But where do you go from here, especially if you lag a bit behind on the cybersecurity front? First and foremost, our advice is to start preparing immediately since those effective compliance dates are right around the corner. Aside from not dilly-dallying, though, we have some additional best practices for you to take to heart.
Processes, Procedures, and Controls
We won't get preachy by saying your processes, procedures, and controls should always function like a finely tuned machine. Because you’ve probably heard it before and, although you know it’s the truth, you have a lot on your plate. And we get that.
Still, these new cybersecurity disclosure rules definitely have a bite to them, especially the requirement to report material incidents within four days. Four days. That's simply not a lot of time, and if anything goes sideways, meeting that deadline will be tough. And then some.
Practically speaking, determining the materiality of an incident could prove to be quite challenging on its own. Judgment can play a critical role in your materiality assessments when third-party cybersecurity incidents occur. However, access to the information you'll need to make these determinations won't necessarily be readily available. And that puts you in a tough spot.
Our advice – look at how you design and implement controls and procedures relating to communication with your third-party service providers. Because efficient, effective communication could very well be the determining factor in your ability to comply with these new rules.
Although the SEC requires you to disclose material aspects of a cybersecurity incident's nature, scope, timing, and impact, it also stresses the importance of protecting sensitive information to avoid exposing vulnerabilities to malicious actors.
Therefore, the actual drafting of your disclosures requires careful consideration, toeing the line between providing sufficient, timely information and safeguarding your cybersecurity profile. After all, publicly disclosing such information could increase scrutiny or even liability resulting from possible regulatory enforcement or litigation. So tread lightly.
Coordinate with Existing Disclosures
To maintain consistency, coordinate your disclosure of cybersecurity risk management, strategy, and governance with your existing risk factor and proxy statement disclosures. Also, review any previous public statements related to cybersecurity to ensure they align with the new requirements. You may need to enhance or revise existing disclosures to ensure compliance and provide investors with a comprehensive understanding of your cybersecurity governance and processes.
Finally, boards should take this opportunity to reevaluate ongoing oversight responsibilities under these new cybersecurity rules from the SEC. In doing so, board members can ensure they receive the timely information and relevant, accurate data they need to effectively fulfill their responsibilities and help ensure appropriate governance relating to cybersecurity issues and these new reporting requirements.
A Final Word from Embark for Public Companies
Yes, the stakes are high for public entities regarding these new cybersecurity rules. But thankfully, you probably already have a solid foundation in place. Because, whether it's for your typical financial reporting, ESG and sustainability, cybersecurity, or anything else, it's all going to stem from the reporting function you already have in place.
Therefore, our advice is to make sure the usual suspects are up to the task – a neat and tidy data environment, adequate systems, efficient and effective processes, stout disclosure controls, and a knowledgeable team that knows their way around these new disclosures. And if you happen to fall short in any of these critical areas, you know what to do. Embark is at the ready, armed with the experience and expertise to get you compliant and help you stay there. So let's talk.