The SEC’s New Cybersecurity Rules: Overview and Considerations

Introduction

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new cybersecurity rules (“Final Rules”) that apply to publicly traded companies (“Registrants”). The Final Rules’ passage marks a long-anticipated change in the regulatory landscape for Registrants as it relates to cybersecurity risk management, strategy, governance and incident disclosures. The Final Rules went into effect on September 5, 2023, and compliance and enforcement dates began in December of 2023. “Smaller reporting companies” have until June 15, 2024, to comply with the disclosure requirement (Form 8-K, Item 1.05).

Following the SEC’s adoption of the Final Rules, Registrants must update the disclosures in their annual reports to address cybersecurity risk management processes (Form 10-K, Item 106) and report material cybersecurity incidents within four (4) business days of the discovery of a material event, discussed in more detail below (Form 8-K, Item 105). Registrants are encouraged to evaluate their current programs, policies and procedures regarding cybersecurity risk management and develop plans, where appropriate, to reduce the risk of SEC scrutiny, enforcement action, litigation and negative financial impact.

The Final Rules represent the SEC’s proactive focus on keeping investors informed of the evolving digital threats faced by Registrants of all sizes and industry sectors. To that end, the SEC noted in the Final Rules that investors benefit from a timely, standardized disclosure process and that the current regulatory landscape fails to yield consistent and actionable information from Registrants. Importantly, the SEC also stated that it seeks to foreclose any perception that the Final Rules prescribe cybersecurity policy.

Suggested Best Practices for Implementing the Final Rules’ Requirements

1. Consider the SEC’s Adopted Definitions Related to Key Cybersecurity Terms when Developing Internal Processes for Compliance with the Final Rules

As part of the Final Rules, the SEC adopted definitions for the following key terms:

• Cybersecurity Incident means an unauthorized occurrence or series of related unauthorized occurrences on, or conducted through, a Registrants’ information system(s) that jeopardizes the confidentiality, integrity or availability of a Registrant’s information systems or any information residing thereon [1].

• Cybersecurity Threat means any potential unauthorized occurrence on or conducted through a Registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a Registrant’s information systems or any information residing thereon [2].

• Information Systems means electronic information resources, owned or used by the Registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the Registrant’s information to maintain or support the Registrant’s operations [3].

Clearly, the Final Rules place the burden of disclosure on Registrants that buy, lease or use Information Systems. With that in mind, Registrants should consider creating or confirming a global asset inventory to account for its devices, software and other technical infrastructure to identify the systems and data that may be in or out of scope under the Final Rules.

1. Considerations and Planning Best Practices Following New Item 1.05 of Form 8-K

The Final Rules require Registrants to assess the materiality of a cybersecurity incident “without unreasonable delay” and report and material incidents within four (4) business days after making such a determination [4].

The Final Rules incorporate the financial industry’s long-established definition of “material” as developed in case law [5] and federal securities legislation[6]:

“Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information available.”

When materiality is determined, Registrant’s must disclose the incident’s nature, scope and timing, as well as its impact or reasonably likely impact on the organization, including its financial condition and results of any impact to operations. Registrants need not disclose specific or technical information relating to its planned response to the incident, or its systems, in such detail as would impede its response or remediation of the incident.

To best prepare for New Item 1.05, Registrants should consider the following:

• Incorporate relevant definitions and considerations surrounding the materiality determination process;

• Conduct regular, but at least annual, cybersecurity tabletop exercises to simulate security incidents, pressure test the organization’s incident response plans, teams and ability to assess materiality efficiently and in accordance with a clear set of processes outlined in the Registrants Incident Response Plan;

• Develop written examples of material and non-material incidents to guide the organization’s leadership on future decisions. Understanding that every cybersecurity incident is unique, and that materiality is inherently subjective, a playbook or other planning document that describes the operational factors, data and systems on which to focus when conducting a materiality analysis may be an item of critical benefit to the organization;

• Ensure that appropriate logging protocols are enabled to prevent the loss of critical evidence needed to determine the scope of an incident and therefore materiality; and

• Formalize a chain of command that will be used to inform the organization’s leadership of an incident’s critical facts as they develop and ensure consistency of data sharing between IT, legal, finance, operations and other departmental stakeholders.

Considerations and Planning Best Practices Following New Item 106

To provide investors with the information necessary to evaluate a Registrant’s cyber governance and security measures, the Final Rules add Item 106 to Regulation S-K requiring Registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. Registrants must now describe the processes, if any, they maintain for “assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”[7]

Required disclosures include, but are not limited to: (1) Whether and how cybersecurity risk processes have been integrated into the Registrant’s overall risk management process; (2) whether the Registrant engages assessors, consultants, auditors or other third parties to assist with the aforementioned risk processes; and (3) whether the registrant has processes to oversee and identify risks stemming from cybersecurity threats associated from the Registrant’s use of any third party service provider[8]. Registrants must also describe whether and how many risks from cybersecurity threats, including those resulting from previous cyber incidents, have materially affected or are reasonably likely to materially affect a registrant, including its business strategy, results of operations or financial status[9].

Under the requirement that Registrants clearly describe their processes for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail, Registrants should consider the following measures:

• Regularly audit third party hardware and software to ensure: (1) the latest software and firmware patches are installed; and (2) wherever possible, multi-factor authentication and/or zero-trust protocols are deployed to protect sensitive data. Registrants should be able to describe the audit procedure in a detailed but clear manner such that a reasonable investor will understand how the process impacts the Registrant’s overall security posture.

• Work closely with the Registrant’s SOC and/or SIEM to monitor critical systems and data for indicators of compromise, particularly those identified in publicly available sources.

• Be prepared to describe, in clear and concise terms:

1. The vetting processes employed prior to onboarding and the ongoing monitoring/audit programs for the Registrant’s third-party service providers;

2. How the Registrant has integrated cybersecurity risk management into the business’s overall risk management plan, e.g., discussion of risk register use and resolution of reports throughout the organization; 

3. How auditors, consultants and other third parties are used to assist with cybersecurity risk management, [10]e.g., Security Operations Center, Endpoint Detection and Response tools; and

4. The processes in place to identify third-party cybersecurity risks, e.g., security scorecards.

   • Consider preparing a written description of the Board of Directors’ oversight of cybersecurity risk well before annual reporting is due, i.e., how often were cyber risk reports provided to the Board, what topics were discussed, and what decisions, if any, were made. Retain any materials developed and shared during Boad meetings as proof that these conversations occurred.

   • Consider other circumstances under which the Registrant has described and disclosed any material business risk, such as to an insurance carrier or other agency partner, and strive for consistency in the level of detail provided in those instances.

   • Document when risks are identified but deemed non-material by the Registrant. Regulators often look favorably upon companies’ commitment to maintaining a formal risk assessment program.

   • Evaluate training and qualifications of personnel in information technology and/or security roles.

   • Determine and document which management committees or positions are responsible for assessing and managing cybersecurity risks.

     Conclusion

     The Final Rules represent a significant shift toward transparency for SEC Registrants, requiring regulated companies to provide the public with more information about how the organization manages its cyber risk. Registrants must be diligent in their approach to cybersecurity and proactively consider the risks associated with the new heightened disclosure requirements. By staying abreast of applicable regulatory guidance and continually assessing and enhancing the organization’s incident response preparedness through guidance and training from experienced cybersecurity counsel, Registrants can comply with the Final Rules and improve their readiness to defend against evolving threats.

     
     To learn more about the Final Rules and how they may affect your organization, please reach out to a Ritter Gallagher attorney at contact@rittergallagher.com 

—————————————————————

 1) 17 C.F.R. § 229.106(a).
2)  Id. (emphasis added).
3)  Id. (emphasis added).
4) Registrants may delay disclosure if the U.S. Attorney General determines such disclosure would pose a substantial risk to national security or public safety.
5) TSC Indus v. Northway, 416 U.S. 438, 449 (1976); Matrixx Initiatives v. Siracusana, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 236 (1988).
6) 17 C.F.R. § 230.405 (“[T]he term material, when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.”).
7) 17 C.F.R. § 226.106(b)(1).
8) 17 C.F.R. § 226.106(b)(1)(i)-(iii).
9) 17 C.F.R. § 226.106(b)(2).
10)  Note that this action may impact the attorney-client and work product privilege protection incurred during the Registrant’s response to a cybersecurity incident.