/ What Are the SEC’s New Rules for Cybersecurity Disclosures?
What Are the SEC’s New Rules for Cybersecurity Disclosures?
The SEC’s new rules for cybersecurity disclosures are reporting requirements that apply to public companies. Announced on July 26, 2023, these final rules mandate the transparent and timely disclosure of material cybersecurity incidents and information related to cybersecurity risk management, strategy, and governance.
What Is the SEC’s Role in Cybersecurity?
As part of its overall mission to protect and foster the United States’ economy, the US Securities and Exchange Commission (SEC) regulates and oversees the cybersecurity practices of publicly traded companies, particularly investment firms and other areas of the financial industry.
Its areas of focus include:
- Disclosure and reporting: To maintain transparency and accountability, the SEC requires publicly traded companies to disclose material risks and cyber incidents. This keeps shareholders and investors in the loop about cybersecurity threats that could have a material impact on an organization's stability and operations.
- Regulatory compliance: SEC regulations such as the Safeguards Rule under the Gramm-Leach-Bliley Act require organizations to create and maintain robust cybersecurity programs to protect their information systems and sensitive customer data.
- Guidance and oversight: To help organizations improve their security posture in the face of evolving threats, the SEC offers guidance and best practices around risk assessments, incident response plans, remediation, and cybersecurity governance.
- Enforcement: The SEC has the authority to fine, penalize, or otherwise sanction organizations for noncompliance with SEC rules around information security or reporting requirements.
What Are the New SEC Disclosure Requirements?
The new SEC cybersecurity disclosure rules announced in July 2023 pertain to public companies in the United States. Broadly, these rules are meant to help investors make decisions about where to invest by providing more information about how seriously an organization takes cybersecurity risk.
Companies that share details on their process for tracking cyber risk—such as how they create and track cyber risk scores over time, and their processes for reporting to and engaging their board of directors on risk—stand to differentiate themselves in investors’ eyes.
The SEC seeks to strike a balance between organizations giving investors enough data to be well-informed without “increasing a company’s vulnerability to cyberattack … to avoid requiring disclosure of the kinds of operational details that could be weaponized by threat actors.”
The Federal Register shows the rules took effect September 5, 2023, and all registrants other than smaller reporting companies must begin complying on December 15, 2023.
Summary of Changes
- Timely incident reporting: New Item 1.05 of Form 8-K requires reporting of material cybersecurity incidents within four business days of when an incident is deemed “material.” Failure to file in a timely manner will not impact Form S-3 eligibility.
- Limited reporting delay for security: With SEC consent and US Attorney General approval, organizations may delay disclosure up to 120 days if it could create a national security risk.
- Comprehensive incident disclosures: Incomplete Form 8-K data requires acknowledgment and later amendment filing, reducing redundancy.
- Broader “cybersecurity incident” definition: For a more holistic view of risk, the SEC’s definition of a “cybersecurity incident” now extends to a series of related events.
- Annual risk reporting (Form 10-K): Regulation S-K Item 106 mandates yearly reporting on cybersecurity risk, strategy, governance, and board oversight—but does not mandate disclosure of board members’ relevant expertise.
- Foreign private issuers: FPIs must issue comparable disclosures of material cybersecurity incidents as well as their cybersecurity risk management, strategy, and governance.
- Compliance timing: The new rules became effective 30 days after publication in the Federal Register, but precise timelines vary based on an organization’s size.
What Are the Details of the Key Requirements?
Form 8-K: Timely Incident Reporting
The addition of Item 1.05 to Form 8-K introduces a crucial change in the required disclosure process. Organizations must report material cybersecurity incidents—including details on the timing of the incident, impact or likely impact, and other details—within four business days of a materiality determination of the incident made without unreasonable delay.
This change hinges on another amendment that updates the definition of an incident.
Broad Definition of “Cybersecurity Incident”
In support of the new Item 1.05, the final rules adopt a broader definition of a “cybersecurity incident,” extending it to “a series of related unauthorized occurrences.” This accomplishes two things. First, it recognizes that the full scope or impact of a cyberattack doesn’t always surface or occur all at once. Second, it enables multiple incidents that may not be individually “material” (such as small-scale repeat attacks by the same malicious actor) to constitute a single material impact, making them subject to Item 1.05.
Temporary Delay in Reporting
Registrants may delay filing under Item 1.05 if the US Attorney General determines that the disclosure of an incident could pose a substantial risk to national security or public safety. The Attorney General must notify the SEC in writing. The initial extension of 30 days can be extended with notice an additional 30 days, and a further additional 60 days, if the AG determines that disclosure continues to pose such risks. Filing extensions beyond a total of 120 days require an SEC exemptive order.
Updated Incident Disclosures
To help ensure investors get more complete and relevant information about an organization’s risks, as part of Form 8-K disclosure, registrants must identify any information required by Item 1.05 that they have not yet determined or been able to obtain. Subsequently, when this information becomes available, registrants must file a Form 8-K amendment detailing such information.
When the required information for the Item 1.05 Form 8-K disclosure is not yet ascertainable or available at the time of filing, the company must acknowledge this fact in the Form 8-K and subsequently file an amendment within four business days after obtaining the missing information. Notably, subsequent periodic filings will not necessitate updates based on this information.
Aggregation of Incidents
The concept of cybersecurity incident aggregation is a noteworthy change from the proposed rules. While the requirement to disclose individually immaterial incidents has been omitted, the new, broader definition of a cybersecurity incident encompassing “a series of related unauthorized occurrences,” enables a more comprehensive overview of incident-related disclosures.
Form 10-K: Cybersecurity Risk Management, Strategy, and Governance
Starting with annual reports for fiscal years ending on or after December 15, 2023, Regulation S-K Item 106 requires registrants to describe how they assess, identify, and manage material risks from cyberthreats, as well as the effects—or likely effects—of those risks on their business strategy, results of operations, or financial condition.
Registrants also must describe the board’s oversight of cybersecurity risks.
Disclosure of Management’s Role and Responsibilities
Another measure of Item 106 requires registrants to report on management's role in assessing and managing material risks, including the positions or committees responsible, the relevant expertise of those parties, their monitoring processes, and whether they report their findings to the board of directors or a board committee.
The SEC considered but ultimately did not implement a new disclosure requirement for registrants to report the cybersecurity expertise of board members in addition to management, asserting that the other required disclosures under Item 106 were sufficient to inform investors.
Foreign Private Issuers
Form 6-K and Form 20-F for FPIs now require material incident, risk management, strategy, and governance disclosures comparable to those required of domestic registrants under the new Item 106 and Item 1.05.
The SEC believes these new cybersecurity disclosure requirements will support investors in making better-informed investment decisions in relation to FPIs, stating in the final amendment notes that “FPIs' cybersecurity incidents and risks are not any less important ... than those of domestic registrants.”
Structured Data Requirements
Registrants are now required to tag the new disclosures in Inline eXtensible Business Reporting Language (Inline XBRL) format—which is already part of certain other disclosure mandates—to “enable automated extraction and analysis of the information required by the final rules, allowing investors and other market participants to more efficiently identify responsive disclosure, as well as perform large-scale analysis and comparison of this information across registrants.”
However, the SEC has delayed the date of compliance with these new structured data requirements by one year beyond that of the disclosure requirements.
Effective Dates and Compliance Timing
The SEC’s new rules went into effect September 5, 2023—30 days after being published in the Federal Register. However, certain compliance deadlines vary for smaller reporting companies (those with less than US$250 million in stock owned by public investors, or those with less than $100 million annual revenue and less than $700 million in stock owned by public investors).
The compliance timelines are as follows:
- Companies must comply with Item 1.05 of Form 8-K within 90 days of the adopting release’s publication or by December 15, 2023, whichever is later.
- Smaller reporting companies are granted 270 days from the adopting release’s publication, or until June 24, 2024, to comply with Item 1.05 of Form 8-K.
- For Item 106 of Regulation S-K, all companies must commence compliance with their annual reports for fiscal years ending on or after December 15, 2023.
- Structured data requirements apply to all companies one year after the initial compliance date for the corresponding disclosure.
Preparing for Compliance with the New Rules
As your company prepares to accommodate the large and small impacts of the new rules, keep a few key steps in mind:
- Review the new rules with security leads and teams that manage filings (e.g., audit, finance). Ensure that your disclosure controls line up with the new rules, and create a process that will ensure you can promptly make materiality determinations as well as meet the four-day deadline for disclosure.
- Make sure your company understands what constitutes “material,” how to determine that threshold, and that it can vary from one incident to another based on qualitative and quantitative impacts such as reputational damage, increased litigation exposure, and more.
- Draft a description of the process for understanding and assessing cyber risk, which may include cyber risk tools, the risks those tools address (e.g., external attack surface or risk of data loss) and the processes different teams follow to mitigate identified risks.
- Engage security and audit leaders to work with the board of directors to create a plan, if you don’t have one already, for how the board will oversee cyber risk. This may include making cybersecurity a permanent topic in QBRs to review risk scores, key risk drivers, mitigation actions, and needed investments.
- Identify and interview board members with cybersecurity expertise to capture and share in annual and proxy filings.
How Can Zscaler Help?
As your company prepares to comply with these regulations, you need a tool that will not only help align your teams and your plans, but also ensure you have complete information for your filings.
Zscaler Risk360™ is a comprehensive and actionable risk framework that delivers powerful cyber risk quantification by ingesting data from your environment. Risk360 offers intuitive visualizations, financial exposure detail, and board-ready reporting, along with detailed, actionable security risk insights to immediately use for mitigation and disclosure.
Risk360 measures cyber risk across key areas of the attack chain:
- External attack surface: See the risk of attackers finding and exploiting weaknesses in your attack surface weaknesses with an examination of discoverable variables.
- Compromise: Understand and mitigate risk by looking at a broad range of events, security configurations, and traffic flow attributes to compute the likelihood of a compromise.
- Lateral movement: See your risk of lateral threat propagation by examining a range of private access settings and metrics.
- Data loss/exfiltration risk: Analyze and limit the risk of attackers exfiltrating your data.
With a unified dashboard for expansive correlation of risk factors, deep insights into the factors increasing your risk, potential financial impacts, simple reporting, and more, Zscaler Risk360 is the new center of your cyber risk management toolkit.