SEC Cybersecurity Disclosure Rule
Cyber Reporting and Incident Transparency
The Securities and Exchange Commission announced a final rule requiring registered companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information related to cybersecurity risk management, strategy, and governance.
Effective on or after December 18, 2023, SEC regulators are requesting clear, documented evidence of how companies conduct cybersecurity materiality assessments and they’re leaving it up to each organization to define for themselves what constitutes material harm and which incidents rise to the level of disclosure.
This regulation creates a new challenge for legal, compliance, and security teams when it comes to creating actionable plans for compliance.
While not the first of its kind, this regulation creates a new challenge for legal, compliance, and security teams when it comes to creating actionable plans for compliance. For public companies that have not developed mature and transparent cybersecurity processes, the key to streamlining reporting processes could lie in the privacy playbook.
The State of Cybersecurity Notification Regulation
While voluntary compliance with standards such as SOC 2 or ISO 27001 can help companies prevent a breach, cyber-attacks have increased both in frequency and severity, and regulators have noticed.
The U.S. federal government has joined 156 countries that have enacted cybercrime legislation, and at least 25 states that have enacted laws that address cybersecurity concerns in requiring disclosure of material incidents.
At the industry level, this SEC rule follows the FDIC’s Computer-Security Incident Notification rule. However, while the FDIC rule requires notification to regulators in just 36 hours following an incident, the SEC rule increases the timeline to four days.
Following GDPR’s precedent, the SEC rule seems to suggest that regulators are requesting accountability and transparency of organizations that manage security incidents.
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” said SEC Chair Gary Gensler
For privacy professionals, this compounding of incident notification is no new challenge. Much like the evolution of privacy laws, cyber incident reporting has shifted from statutory to actionable, from inconsistent and incomplete to “decision-useful.”
Like data privacy regulations, the SEC rule entails some analysis from organizations in order to be actionable. In the ruling, the SEC asks organizations to report material incidents but does not define what constitutes “material harm” to provider criteria for notification obligations.
“Materiality” is based on each organization’s unique definition of risk
That’s because “materiality” is based on each organization’s unique definition of risk. In order to determine an incident’s capacity for material harm, each organization must first have a working process to categorize severity thresholds for which to qualify each incident and how they’ve involved stakeholders in the decisioning. Per the SEC:
“The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
For more on defining materiality, see PwC’s Eight Questions to Answer for SEC Cyber disclosure success.
Ultimately, the SEC is requesting that organizations document and demonstrate a consistent process for disclosure decision-making. For organizations that have built cyber maturity to scale with regulatory obligations, the need for the digital transformation of cybersecurity decisioning processes is paramount.
Around the world, data privacy laws have risen at impressive rates to protect citizens. In 2023, cybersecurity regulations appear to be following the privacy path, potentially creating a new patchwork of notification laws for organizations to abide by.
The SEC ruling provides an opportunity to connect incident management teams, streamline decisioning processes, and bring a new level of consistency and transparency to an increasingly regulated process.
For organizations that are using manual processes to track incident materiality assessment, decisioning, and incident management, the SEC ruling provides an opportunity to connect incident management teams, streamline decisioning processes, and bring a new level of consistency and transparency to an increasingly regulated process.
In the age of proliferating cyber regulation, organizations require a scalable solution to comply with cybersecurity incidents, data breach regulations, and consumer protection laws.
Adopting such solutions is only one small step toward creating a company culture that values and prioritizes safe data management practices. While cyber laws continue to develop and evolve, organizations must be proactive in their approach to incident management in order to maintain compliance with regulators and to protect individuals’ data.
For consumers, the way organizations manage and protect their data can make or break lifelong customer relationships. For organizations that have invested heavily in cybersecurity and data breach prevention, it’s clear that the future of data protection and customer relationship-building lies in transparency and accountability. Take action to prioritize your customers now and they’ll repay you in the long run.
Coming Soon from RadarFirst