Connect With an Advisor
Home | Resource Center | Articles

September 8, 2023

Dean Flores

Principal, Risk Advisory Services Leader

Atlanta, GA

678-510-2820

[email protected]

Related Services

Related Articles




< Back to Resource Center

What to Know About the Final SEC Cybersecurity Disclosure Rule

Final SEC Cybersecurity Disclosure Rule – What You Need to Know

The Securities and Exchange Commission (SEC) adopted a final cybersecurity disclosure rule on July 26, 2023, now requiring the disclosure of cybersecurity incidents as well as how they are protecting against cyber risks. The three distinct disclosure requirements within the SEC rule include:

  • Governance
  • Risk management and strategy
  • Material cybersecurity incidents

We’ve summarized where companies should focus their disclosure efforts based on these three requirements.

Governance

Regarding governance, the new disclosure rules require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role in handling any material risks from cybersecurity threats. This information should articulate what management positions or committees are responsible for assessing and managing such risks, with their expertise fully described. The disclosures should also describe the processes used to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and whether this information is reported to the board of directors or a committee/subcommittee of the board.

Risk management and strategy

Registrants must describe their processes for the assessment, identification and management of material risks from cybersecurity threats, and they are to describe whether any risks from cybersecurity threats have already impacted or have the potential to materially affect their business strategy, operations or financials. The disclosures should address how the cybersecurity processes have been integrated into the registrant’s overall risk management system or processes, how much of the cybersecurity capacity is handled in-house or is outsourced and whether the registrant has processes in place to oversee and identify material risks from threats associated with any use of a third-party service provider. Essentially, registrants should disclose any information necessary for investors to understand their cybersecurity risk management processes.

Material cybersecurity incidents

Material incident disclosures will require management to maintain and test an incident response plan in order to identify, contain and recover incidents as well as assess the impact, or potential impact, on the company. Current plans should follow an industry-recognized process such as the four-part National Institute of Standards and Technology (NIST) Incident Response Cycle, whose steps include the following:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Discovery
  • Post-Incident Activity

The final rule states that registrants should describe and disclose any cybersecurity incident that is determined to be material, including the nature, scope, timing and any current or potential impact. Because of this requirement, a company’s cybersecurity incident response plan should also be updated to include criteria for assessing the materiality of an incident both qualitatively and quantitatively. Companies should determine specific qualitative metrics like reputational and operational impacts, as well as quantitative metrics like financial and operational effects. The incident disclosure may necessitate a discussion regarding data theft, asset loss, intellectual property loss, reputational damage or business value loss, as registrants will need to make those determinations as part of their materiality analyses.

Form 8-K Item 1.05  must be filed within four business days of determining an incident was material. Registrants may be allowed to delay filing if the U.S. Attorney General determines that immediate disclosure would present significant risk to national security or public safety. Registrants must amend a prior Form 8-K Item 1.05 to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. The bar is set very high to delay filing. Most registrants be prepared to file Form 8-K Item 1.05 within four days unless they have been actively collaborating with the U.S. Attorney General since the outside of the incident in support of national security or public safety.

Why companies need a robust cybersecurity plan

Companies will benefit from having a robust cybersecurity governance and risk management process to establish investor confidence through trust and transparency. This can be accomplished by the following:

  • Adopting an industry-recognized cybersecurity framework, such as NIST CSF or ISO 27001.
  • Establishing formal policies and a strategic roadmap for your organization.
  • Designating responsibility and authority to implement cybersecurity practices based on management’s risk tolerances.
  • Ensuring that management has adequate information to understand and monitor cybersecurity risks.

Third-party cybersecurity assessments and monitoring can also provide management with the necessary insight to make decisions regarding cybersecurity as well as build trust with investors. Such independent third parties can inform management regarding the current state of the company’s cybersecurity posture and associated cyber risks, as well as refresh your current plan to accommodate the new SEC disclosure requirements.

Windham Brannon’s cybersecurity practice is well-versed in helping companies assess and establish effective cybersecurity measures to protect their assets. For more information about the final SEC disclosure requirements or to conduct an assessment of your current cybersecurity strategy, reach out to your Windham Brannon advisor or contact Dean Flores.

Cybersecurity Disclosure Rules