SEC Cyber Disclosure Rules

The purpose of this guide is to provide a comprehensive understanding of the SEC’s cybersecurity disclosure rules. By outlining the history, current requirements, and best practices for compliance, this guide aims to help:

• Public Companies: Understand their obligations under SEC regulations and ensure accurate and timely disclosure of cybersecurity incidents.
• Investors: Gain insights into companies' management and disclosure of cybersecurity risks, aiding better investment decisions.
• Legal and Compliance Professionals: Support compliance by understanding the nuances of SEC regulations and disclosure requirements.

SEC Regulatory Background and Evolution

The SEC’s involvement in cybersecurity dates back to the early 2000s, and it has evolved over time to address emerging threats and risks.

Regulation S-P (2000) required financial institutions to safeguard customer information and provide privacy notices. This regulation focuses on protecting customer financial information and requires implementing policies and procedures to safeguard customer data.

SEC’s Initial Cybersecurity Guidance (2011) highlighted the importance of disclosing material cybersecurity risks and incidents. It emphasized that public companies should consider cybersecurity implications in risk factors, MD&A, and legal proceedings.

Regulation S-ID (Identity Theft Red Flags Rule): This regulation applies to financial institutions and creditors to detect and mitigate identity theft. It requires implementing an identity theft prevention program focused on identifying and mitigating potential risks related to identity theft.

SEC’s Updated Cybersecurity Guidance (2018): Reinforced the need for timely and accurate disclosure of cybersecurity risks and incidents. This guidance stressed the importance of board oversight and management’s involvement in cybersecurity. The update encourages disclosing material cybersecurity risks and incidents and emphasizes proper risk factor disclosures and the board's oversight role.

SEC Proposed Rules and Recent Regulatory Updates

Proposed Rules on Cyber Incident Reporting mandated public companies to report material cybersecurity incidents on Form 8-K within four business days. Companies must also provide periodic disclosures regarding cybersecurity risk management, governance, and prior incidents.

Understanding SEC Cyber Disclosure Rules - Materiality and Reporting Obligations

A cybersecurity incident is considered material if it will likely affect an investor’s decision-making. Factors affecting materiality include the incident's magnitude, impact on operations, legal implications, and reputational damage. Expected implications of the new requirements are increased transparency and consistency in reporting cybersecurity risks and incidents and higher accountability for companies in managing cybersecurity threats and informing stakeholders.

Reporting Obligations:

• Form 8-K: Report material cybersecurity incidents within four business days of determination.
• Periodic Filings (10-Q, 10-K): Include updates on previously reported incidents. 
• Disclose cybersecurity risks, risk management practices, and governance.

Cyber Risk Management and Governance Disclosures

• Risk Management Policies and Procedures:
  • Describe cybersecurity risk management strategies, policies, and controls.
  • Disclose detection, mitigation, and response measures.

• Governance Oversight of Cybersecurity:
  • Provide information on the board's role in overseeing cybersecurity.
  • Include management’s involvement in risk management and cybersecurity oversight.

Key Elements of an SEC Cyber Disclosure

Timeliness and Accuracy of Incident Disclosure. This includes submitting an 8-K to ensure timely and accurate disclosure of material cybersecurity incidents within four business days. Organizations must also submit forms 10-Q and 10-K to disclose updates on previously reported incidents in periodic filings.

Form 8-K Reporting Requirements:

• Detailed description of the incident, scope, and impact on business operations.
• Actions taken to mitigate or contain the incident.
• Potential legal, financial, and reputational implications.

Risk Factor Disclosures

Security and Risk teams must regularly assess the organization’s cyber risk posture and prioritize security initiatives accordingly. This includes disclosing risks affecting the company's financial position or operations.

• Effective risk factor disclosures include clearly articulating specific cybersecurity risks (ransomware, supply chain vulnerabilities, etc.) and tailored language reflecting the organization's unique risk posture and relevant threat information. 
  •  
  • Conduct a Free Cyber Risk Analysis with CyberStrong to uncover your organization's top 5 risks and associated NIST 800-53 controls. 

Cybersecurity Board Oversight and Governance

Organizations must provide information on the board’s involvement in overseeing cybersecurity strategies and risks per SEC requirements. This includes disclosing specific committees or directors responsible for cybersecurity oversight.

• Effective Governance Structures and Practices:
  • Implement a clear governance structure with defined roles and responsibilities.
  • Foster collaboration between the board, management, and cybersecurity teams.

Preparing for SEC Cyber Disclosures

There are a few essential steps in preparing for the SEC Cyber Disclosures; this includes developing a comprehensive Incident Response Plan (IRP) and establishing a cross-functional Incident Response Team (IRT)

Part of the preparation outlines clear steps for detecting, containing, eradicating, and recovering from cyber incidents. Meeting the SEC rules Includes regular communication protocols for internal and external stakeholders.

To maintain accurate documentation for disclosures, Create a centralized incident log documenting incident details, impact, and response actions. Preserve forensic evidence and records of communications with stakeholders and regulators.

Coordination Between IT, Legal, Compliance, and Executive Teams

Effectively meeting the SEC requirements necessitates collaboration across the organization. Ensure legal and compliance teams are involved in the incident response process. Leaders must assign clear roles and responsibilities across departments.

Best Practices for Effective Cyber Risk Disclosures

• • Conduct regular cyber risk assessments to identify and prioritize cybersecurity risks. Implement a vulnerability management program to continuously monitor and address threats.

• Apply security controls aligned with industry standards (e.g., NIST Cybersecurity Framework). Monitor control gaps in real-time using CyberStrong’s Continuous Control Automation (CCA).