Time is quickly running out for public companies to implement policies and practices to comply with the Securities and Exchange Commission’s (SEC) newly approved cybersecurity incident disclosure rule. This 186-page final rule aims to provide more information about significant cybersecurity incidents in a faster manner.
In this article, we will delve into the SEC’s game-changing four-day rule for cybersecurity reporting and how to ensure compliance. Learn how to safeguard your business and respond swiftly to cyber threats under these crucial SEC cybersecurity rules.
1. The importance of SEC Cybersecutity Rules
2. Overview of the disclosures required
3. Examples of a material impact on a company
4. Diving deeper into forms and timelines
5. How can organizations comply with the four-day rule
The importance of SEC Cybersecurity Rules
On July 26, 2023, the SEC adopted final rules regarding cybersecurity disclosure that should be of interest to every public company.
In response to the ever-growing importance of cybersecurity, the Securities and Exchange Commission (SEC) has been diligently prioritizing the disclosure of cybersecurity risks since 2011 and 2018. Recognizing the urgent need to bolster efforts in this area, the SEC has recently adopted new rules designed to revolutionize and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents for public companies.
Under these newly implemented regulations, public companies are now obligated to timely disclose the nature, scope, timing, and impact of cybersecurity incidents considered to be material. In an effort to ensure transparency and protect investors, this disclosure must be made within a strict timeframe of just four business days.
Get ready for a game-changing upgrade to cybersecurity reporting. The new four-day rule is set to revolutionize the way businesses handle breach disclosures, significantly reducing response time and ensuring compliance across all jurisdictions.
Unlike the current maze of state and federal reporting rules, the four-day rule guarantees accelerated public breach disclosures. This means that companies will now be able to inform the public about cybersecurity incidents weeks faster than ever before.
But that’s not all - the compliance date is just around the corner. Large companies may soon be required to implement the new reporting framework as early as December. Meanwhile, smaller reporting companies have been granted an additional 180 days to comply, allowing them ample time to transition smoothly.
This groundbreaking rule, proposed in March 2022 and recently adopted, has garnered significant attention for its relatively short timeline. Businesses now face the challenge of swiftly grasping the full extent of a cybersecurity incident, such as a data breach.
Overview of the disclosures required:
Within four business days of determining a cybersecurity incident was material, a registrant must disclose the material aspects of the incident’s nature, scope, and timing, and material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operation.
A registrant may delay filing if the US Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.
Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.
Registrants must describe the board’s oversight of risks from cybersecurity threats and describe management’s role in assessing and managing material risks from cybersecurity threats.
The SEC cybersecurity rules also require public companies to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
By enforcing these rules, the SEC aims to empower public companies to enhance their cybersecurity protocols and keep stakeholders well-informed about critical cyber incidents. This shift towards increased transparency and accountability reflects the SEC’s commitment to creating a robust and secure marketplace.
In an era where cyber threats pose significant risks to businesses of all sizes, the SEC’s initiative stands as a game-changer, emphasizing the vital importance of proactive cybersecurity measures and strategic risk management across the corporate landscape.
“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler in a press release. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The SEC said it was streamlining the requirement to focus the disclosure primarily on the impacts of a material incident rather than on requiring details regarding the incident itself. The company must describe the material aspects of the nature, scope, and timing of the incident and the material impact on the company, including its financial condition.
Examples of a material impact on a company are:
- harm to a company’s reputation, customer or vendor relationships, or
- competitiveness; and the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities.
The Securities and Exchange Commission (SEC) is implementing the new rules to enhance cybersecurity disclosure and oversight. One key aspect of these rules is the concept of materiality, where disclosure begins once the business considers an incident significant. The SEC emphasizes the importance of making this determination “without unreasonable delay.” The disclosure will be made through a new Form 8-K item.
In cases where the U.S. attorney general identifies national safety risks, delays in disclosure may be granted, as noted by the SEC.
Another regulation, known as Regulation S-K, will require registrants to describe their processes for identifying and managing material risks from cybersecurity threats. This regulation will also highlight the role of boards of directors and management in overseeing the handling of cyber risks.
Additionally, the SEC is proposing two other rules. One focuses on evaluating whether using data analytics technologies in investor interactions presents a conflict of interest for broker-dealers and investment advisers. The other rule aims to modernize the registration process for internet-based advisers with the commission.
To gather input and feedback from stakeholders, each proposal will undergo a 60-day comment period following publication in the Federal Register.
SEC Cybersecurity Rules - Diving deeper into forms and timelines.
The final rules will become effective on August 25, 2023. The Form 8-K and Form 6-K reporting requirements will apply to cybersecurity incidents occurring on or after December 18, 2023, except for smaller reporting companies, which will only have to disclose incidents under Item 1.05 on June 15, 2024. The annual reporting requirement on Form 10-K or 20-F applies to all registrants and will take effect for fiscal years ending on or after December 15, 2023.
The final rules adopted will require current reporting on Form 8-K (or Form 6-K for foreign private issuers) for material cybersecurity events and an annual disclosure on Form 10-K (or Form 20-F for foreign private issuers) about corporate risk management, strategy, and governance of cybersecurity. Quarterly disclosure under Form 10-Q is no longer mandatory, as it was per the proposed rules, and there is no longer a requirement to identify a board cybersecurity expert.
The final rule will require registrants to determine the materiality of these cybersecurity incidents “without unreasonable delay” after discovering the incident. If the incident is determined to be material, registrants will have four business days to report it.
Registrants will be allowed limited leeway in making their materiality determination to avoid premature disclosure, except for rare cases where the disclosures pose a substantial risk to national security or public safety. The untimely filing of an Item 1.05 Form 8-K will not affect a registrant’s Form S-3 eligibility.
How can my organization comply with the four-day rule?
Rapid response and remediation of vulnerabilities:
Unlike other solutions focused on the software supply chain, MergeBase provides Dynamic Application Surveillance and Hardening, facilitating an immediate response and remediation of vulnerabilities. This enables you to swiftly react and respond with immediate remediation and the disclosures required by the new SEC guidelines.
Quick disclosure:
MergeBase’s solution also provides precise and rapid information on the impact of a vulnerability and attack. This information is essential to facilitate speedy disclosure per the SEC’s timeline.
“Besides implementing a rigorous SCA process, have a crisis management plan involving your Technical, HR, and Marketing teams so that you can rapidly and seamlessly mobilize when experiencing a security breach.” Oscar van der Meer, CEO of Mergebase said.
“The communication skills of HR and Marketing play a key role in bridging leadership, employees, and your clients. HR’s knowledge of sensitive worker data, combined with Marketing’s expertise in customer experience, are powerful and effective alleys managing the message. And, make sure you test your crisis management plan to identify critical weak spots and work out the kinks before you need to activate it.”
The best scenario is prevention
Ready to take your cybersecurity reporting to the next level? Embrace the four-day rule and stay ahead of the game in safeguarding your business and earning the trust of your stakeholders.
Mergebase focuses on securing the software supply chain, helping to prevent data breaches from occurring in the first place. By focusing on the roots of many modern threats, companies can effectively minimize their exposure to potential breaches.
“The new SEC guidelines have significantly altered the landscape for businesses, placing an increased emphasis on swift action and disclosure in the face of data breaches.” Kelly West, CTO of Mergebase, said.
“Understanding the risks and having the right solutions in place, companies can successfully navigate these changes. Software supply chain risks continue to grow, and proactive security measures like those offered by MergeBase will become increasingly crucial. The new era of data security calls for a proactive, informed, and responsive approach, with a keen eye on the sources of threats in our increasingly interconnected digital landscape.”
