New SEC Rules around Cybersecurity Incident Disclosures

The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules:

  1. Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk.
  2. Public companies must “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats” in their annual filings.

The rules go into effect this December.

In an email newsletter, Melissa Hathaway wrote:

Now that the rule is final, companies have approximately six months to one year to document and operationalize the policies and procedures for the identification and management of cybersecurity (information security/privacy) risks. Continuous assessment of the risk reduction activities should be elevated within an enterprise risk management framework and process. Good governance mechanisms delineate the accountability and responsibility for ensuring successful execution, while actionable, repeatable, meaningful, and time-dependent metrics or key performance indicators (KPI) should be used to reinforce realistic objectives and timelines. Management should assess the competency of the personnel responsible for implementing these policies and be ready to identify these people (by name) in their annual filing.

News article.

Tags: , , , , ,

Posted on August 2, 2023 at 7:04 AM14 Comments

Comments

John Tillotson August 2, 2023 7:27 AM

“…identify these people (by name) in their annual filing.” just means that they are identifying the designated scapegoats up front.

jbmartin6 August 2, 2023 8:15 AM

Likely the ‘describe their processes’ aspect will just become meaningless AI-written text, just like ‘we take cybersecurity very seriously at (just been breached).com’

GregW August 2, 2023 9:28 AM

Please lay out for the public who should be targeted in your org for social engineering under penalty of shareholder misrepresentation.

That way we ensure that actual people named must be political figureheads and not those with actual access to do or see or analyze anything.

Ted August 2, 2023 10:16 AM

SEC Chair Gensler notably reinterates:

…the disclosure obligation will arise only after the company determines a cybersecurity incident was material, not simply after the incident has occurred.

Ted August 2, 2023 10:17 AM

The Final Rule also has some good dialogue on “Definitions.” (See Proposed Defintions, Comments, and Final Definitions, page 71.) With regards to the materiality of of an incident that “jeopardizes” a registrant’s info:

… a company whose intellectual property is stolen may not suffer harm immediately, but it may foresee that harm will likely occur over time as that information is sold to other parties… In such circumstances, we believe investors should be apprised of the material effects of the incident.

Footnote 134 seems to leave open who should make the materiality determination.

We note that Form 8-K Item 1.05 does not specify whether the materiality determination should be performed by the board, a board committee, or one or more officers. The company may establish a policy tasking one or more persons to make the materiality determination…

TimH August 2, 2023 11:08 AM

“New Form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material”.

Can drive a truck through “they determine to be material”.

“New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats”.

“If any”. So not obligatory.

No mention of penalties in the 2-pager either.

SecNerd August 2, 2023 1:14 PM

I love it when they tell us to record and report on metrics and KPIs, but they don’t tell us WHAT they should be. I’ve heard that one before rolls eyes. Management want metrics but they have literally no idea what to do with them. Metrics good.

Vic August 2, 2023 4:37 PM

@SecNerd :

Last year the Federal 5th Circuit Court of Appeals ruled the SEC is denying defendants their constitutional right to a jury trial by putting them in front of its own internal SEC ‘judges’.

Federal Judge Jennifer Walker Elrod wrote in the majority opinion that the SEC violated the Seventh Amendment’s right to a jury trial by bringing defendants before in-house judges and allowing the SEC agency to “act as both prosecutor and judge.”

Congress also unconstitutionally delegated power to the SEC to act as a legislative body, Elrod wrote.

“‘We the People’ are the fountainhead of all government power. Through the Constitution, the people delegated some of that power to the federal government so that it would protect rights and promote the common good,” Elrod said. “But that accountability evaporates if a person or entity other than Congress exercises legislative power.”

(…. in fact, the entire SEC is unconstitutional — and has no legitimate authority to issue ‘Rules’ to anybody )

StephenM August 2, 2023 11:27 PM

To reduce the cited fact sheet:

“The Commission observed that cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants…”

“New Form … will require registrants to disclose any cybersecurity incident they determine to be material … and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact … on the registrant, including its financial condition and results of operations…”

“New Regulation S-K Item 106 will require registrants to describe their processes, if any, … as well as whether any risks … have materially affected … the registrant …”

emphasis added

anon August 3, 2023 5:52 AM

“Public companies must “disclose any cybersecurity incident they determine to be material” within four days, with potential delays if there is a national security risk.”

All other companies should have 8 days. The “national security risk” should only give them an additional 4 days.

ResearcherZero August 3, 2023 6:27 AM

‘https://www.rapid7.com/blog/post/2022/08/23/avoiding-smash-and-grab-under-the-secs-proposed-cyber-rule/

Chris Drake August 21, 2023 5:34 PM

Cute, but, “Public Companies” are not even half the problem.

Australian Signals Directorate discontinued reporting on government intrusions back in 2013 – but their snapshot at that time (see “Cyber Picture 2013”) found that 62% of all successful intrusions were to Government servers. Combined with revelations by the Department of Prime Minister and Cabinet’s cyber strategy of the same year, on page 16, that turned out (on average) to be 4 new intrusions every day, 365 days of the year (with the average time to detect each being 6 months).

A UK government study also found that government under-reports the frequency and severity of attacks on its own systems – the true rate is estimated to be double.

Government needs to get off its high horse, stop covering up its own ineptitude, and stop making rules for “Public Companies” that the Government itself does not ALSO have to abide by !

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.