A Year On: Evaluating the Impact of the SEC’s Cybersecurity Disclosure Requirements

Introduction

In July 2023, the U.S. Securities and Exchange Commission introduced the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules to improve resilience and transparency in processes related to cybersecurity, risk management, and governance. These rules came into effect by December 2023 and applied to publicly traded companies. It has been a year since these rules came into effect, and it is important to understand their strategic implications and how organizations are navigating the evolving compliance landscape.

What are the SEC Cybersecurity Rules?

The SEC cyber security rules required publicly traded companies to disclose material cybersecurity incidents in Form 8-K within four business days of determining materiality. They also had to provide detailed information on their cybersecurity risk management strategy and governance in their annual reports and in Form 10-K. The aim was to ensure that investors and other key stakeholders had clear information on how companies were managing cybersecurity threats and managing incidents. And this aligned with the SEC’s mandate of protecting investors and maintaining free markets.

(Read our blog for a comprehensive mapping of how we can help you achieve compliance with the various aspects mandated by the SEC Rules.)

The Compliance Challenge

The SEC cybersecurity rules set down conditions that were unprecedented, causing some business leaders to be apprehensive about compliance measures. Added to the challenge was the fact that it did not clearly define “materiality.” It only established qualitative factors under materiality such as harm to organizational reputation, customer and partner relationships, possibility of legal or regulatory cases and investigation. This left the concept of materiality up to interpretation, leading to the risk of compliance gaps.

Some of the terms were also difficult to implement. Form 10-K led to some confusion as the rules did not specify how much information had to be disclosed, or the extent of the details that had to be disclosed to ensure transparency. The 8-K had to be filed when materiality was determined, instead of when an incident was detected. But materiality was to be determined quickly after the incident was discovered. And the determination could not be postponed to a later date after the impact of an incident was evident. This put organizations under significant pressure to assess materiality quickly and not just in terms of immediate impact, but future anticipated impact as well. And while mitigating a cybersecurity incident can also be time consuming, the SEC’s rules require organizations to report incidents once materiality was determined even if the incident had not been fully resolved. Revealing details about the incident even before it is fully addressed, opens up the risk future cyberattacks following the same pattern.

This lack of clarity led to organizations reporting non material incidents under the wrong items. As a result in May 2024, the SEC issued some more guidelines on disclosure of cybersecurity incident under Form 8-K.

(Read our blog that dives into what “material” means, including examples of quantitative and qualitative factors that companies should consider when assessing the materiality of a cyber incident.)

Key Developments from the Last Year

Last year, the SEC filed a lawsuit against SolarWinds, accusing the company of misleading its shareholders about cybersecurity vulnerabilities and the risk of Russian-linked hackers breaching its systems. This was the first case of the SEC filing civil fraud charges against a publicly traded company that had faced a cyberattack. During the investigation the SEC learned that 4 other companies were attacked by the same threat actor but had downplayed the incidents in their SEC filings. It penalized the four companies almost USD 7 million, for providing materially ambiguous disclosures about risks and breaches. The charges were under two categories: not revealing complete material information about cyberattacks despite making disclosures (Avaya Holdings Corp. and Mimecast Limited) and not updating risk factors after a cyberattack (Check Point Software Technologies Ltd. and Unisys Corporation). But in July 2024, a federal judge dismissed part of the case against SolarWinds, stating that some of the claims were grounded in "hindsight and speculation."

Currently, the SEC does not impose any additional penalties on organizations for failing to meet the four-day deadline for determining materiality and reporting incidents. So far, the SEC has only imposed a fine of USD 10 million on Intercontinental Exchange and nine of its affiliates for not disclosing a cyber intrusion within the stipulated period.

The fact that the SEC is now focussing on cybersecurity highlights the fact that there is now greater understanding of how cyber threats can damage a company’s business and reputation in addition to its financial health. The rules are also forcing organizations to re-assess “materiality” of cyber incidents. They are revising the ways incidents are analyzed, documented and disclosed. And given the requirement of disclosing material incidents within 4 days, organizations are trying to find a balance between complying with the rules, and minimizing the risk of giving out too much information too early.

The Way Forward

The SEC’s focus on cybersecurity disclosures will only intensify over the next year. Organizations must ensure thorough quantitative and qualitative assessment of incidents before disclosure with a strong focus on correctly evaluating materiality. Ongoing monitoring of incidents and updating of SEC filings in case of any material developments is important. Risk factors detailed in disclosures must accurately present actual risks and not hypothetical ones with updated information on material incidents. And companies must strengthen their disclosure and escalation processes to ensure effective response to incidents as well as compliance.

Good governance and oversight are crucial and organizations must review incident review plans to quickly assess materiality and meet reporting obligations. The board directors must understand the full extent of the cyber risks facing the company and their impact. Their involvement is crucial for ensuring compliance with the SEC’s cyber rules as well as managing cyber risks. Clearly defined board oversight responsibilities are important and the board must be kept informed on risks, incidents and readiness. Organizations must work closely with their legal teams to draft accurate disclosures and prepare annual reports that encapsulate processes and oversight that may still be evolving. Organizations need a robust technology foundation to not only quickly identify incidents, but also ensure errorfree reporting and disclosures.

Build Cyber Resilience and Achieve Compliance with MetricStream

The SEC cybersecurity rules are indicative of increasing understanding of cyber resilience and the severity of cyber risks. The first year saw some definite action against organizations that did not comply with the requirements as well as streamlining of corporate effort to ensure accurate reporting and disclosures. With the right technology platform in place, ensuring compliance with the SEC’s cyber security rules in the years to come should be errorfree, seamless, and accurate.

MetricStream’s CyberGRC solution can help you streamline your cyber risk management program and achieve compliance with the various aspects mandated by the SEC Rules, including:

• Establishing consistent procedures for incident documenting, analyzing, and remediating till closure
• Maintaining a single source of truth for incident lifecycle for quick and efficient reporting
• Assessing and managing IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST
• Generating comprehensive reports providing in-depth visibility into the overall security posture and insights into risks, compliance, and performance of third-party vendors
• Implementing an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes

Interested to know more? Request a personalized demo.

Download eBook: Overview of SEC Cyber Disclosure Rules 2023

View Infographic: SEC’s New Cybersecurity Rules 2023: Top FAQs Answered