The U.S. Securities and Exchange Commission (SEC) recently adopted rules requiring that public companies disclose material cybersecurity incidents they experience within four business days. Once a company determines an incident is material, they have four business days to disclose it using the new Item 1.05 of Form 8-K.
The company must describe the material aspects of the nature, timing, and scope of the incident, and its material effects (or reasonably likely material effects) on the company, according to an SEC press release.
The rule's title is Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Experts call it the SEC cybersecurity rules or the rule. All references to such terms mean the same SEC rule.
According to the SEC release, the rule requires companies to use the new Regulation S-K Item 106 to describe how they assess, identify, and manage material risks from cybersecurity threats. Item 106 must include the material effects of the risks, as well as information documenting previous cybersecurity incidents.
A company's submission of Item 106 must describe the board of directors' oversight of risks from cybersecurity threats. It must describe management's role and expertise, including those of the C-suite, in assessing and managing material risks. In addition to reporting cybersecurity incidents promptly, the rule requires Item 106 disclosures yearly in the company's annual report (Form 10-K), according to the SEC release.
The Internet is abuzz with discussion of the effects of the rules on companies, their management, boards of directors, and cybersecurity.
SEC chairman Gary Gensler said in the SEC press release announcing the rule that companies and investors would benefit when companies make cybersecurity disclosures in a more consistent, comparable, and decision-useful way.
The rule's goal is to provide information that shareholders should have when making investment decisions. The rule could enable companies to learn from attacks and from response techniques used by peer organizations more quickly.
However, companies will face difficulties coping with the rule and its four-day disclosure requirement.
According to Ken Deitz, CSO/CISO of cybersecurity company SecureWorks, cybersecurity incidents are messy. Evaluating an incident after the fact differs significantly from disclosing potential effects while investigation and containment are ongoing.
According to Deitz, company performance on timely disclosures will be a mixed bag, and there will be an adjustment period while companies struggle to find what the SEC and the market want.
Four days may sound like an extremely short period of time, especially when compared to the weeks and months it has taken some companies to disclose cybersecurity events and breaches. However, it is essential to understand what the rule says about the four-day deadline, and the options for extending it.
According to Kim Phan, a partner with national law firm Troutman Pepper, a public company is not required to make cybersecurity disclosures within four business days of the discovery of a cyber incident, but within four business days of the date that the company determines that the cybersecurity incident is material.
The rule provides for a limited delay in the Form 8-K disclosure when it could pose a substantial risk to national security or public safety, says Phan. However, a company's ability to earn this relief requires the intervention of the U.S. Attorney General, she says.
Whether the cyber incident is material, and how to determine that, is essential to understanding when to disclose it.
According to Phan, in addressing materiality, the SEC cybersecurity rule adopted the long-accepted definition of "materiality" from the U.S. Supreme Court decision on TSC Industries, Inc. v. Northway, Inc. 426 U.S. 438 (1976).
Phan said something is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.
While public companies have experience applying the TSC v. Northway materiality standard, many companies may be uncomfortable applying these standards to a cybersecurity incident, Phan says.
Companies will have to interpret the standard. According to Deitz, companies will attempt to define materiality themselves, with guidance from internal and external counsel. "They will most likely publish their definition of materiality in their annual 10-K filing," he says.
Lawsuits will probably follow. According to Deitz, it will be interesting to see how many ways companies attempt to determine materiality. "However, the SEC and the public will have the final say via lawsuits," says Deitz. According to Deitz, some companies will go to court, suing both shareholders and the SEC, before we get a well-accepted definition of what is to be considered material.
The yearly disclosures could reveal how vital cybersecurity is to an organization. According to Deitz, company disclosures of risk management processes could tell us how mature those processes are and how highly the companies prioritize them in the overall function of the company.
The disclosures also will show how companies are strong, or fall short, with regard to cybersecurity. According to Jim Hyman, CEO of Ordr, a connected device cybersecurity company, some companies have vague and demonstratively weak cybersecurity plans and experience frequent victimization in attacks and breaches. Watchdogs will hold those companies accountable, he says.
The SEC rule holds C-suites and boards accountable for cybersecurity. Boards of directors must exercise oversight of cybersecurity risks. "Boards have taken an increased role in overseeing a company's cybersecurity policies and programs. They are actively looking for board members experienced with cybersecurity matters as cybersecurity requirements have become more detailed and demanding and the threats have grown," says Phan.
According to Alexander Koskey, co-chair of Baker Donelson's financial services cybersecurity and data privacy team, most boards have increased their oversight of cybersecurity risks by receiving cyber-threat training and periodic reports from executives to understand the developing threat landscape.
Meanwhile, the C-suite's role in managing material cybersecurity risks varies widely, as does their expertise. According to Hyman, there is no clear understanding of the C-suite's roles, but there is growing case law (notably former security chief Joe Sullivan's criminal conviction following the 2016 data breach at Uber) that suggests the courts are moving to define their cybersecurity roles. "Bottom line, the C-suite and corporate boards should take this seriously," says Hyman.
Beyond shareholders' scrutiny of public companies, there's the matter of whether the SEC rule will improve cybersecurity or merely burden companies further, creating more issues than it solves.
According to Phan, the rule attempts to focus disclosures on the material effects of a cybersecurity incident, rather than requiring extensive details about the incident itself, which critics of the rule argued that malicious actors could misuse.
According to Koskey, while the new rules will probably stress companies in the short term, those rules should promote better cyber hygiene. The rules could become the benchmark for future cybersecurity regulations, he says.
The reputational and financial effects of the SEC rule will vary depending on the sophistication of a company's cybersecurity capabilities. "Companies that are less mature can expect to have large reputational effects and larger financial effects from the disclosure of an incident," Deitz says.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
No entries found