SEC Adopts New Cybersecurity Rules for Public Companies
On July 26, the Securities and Exchange Commission (SEC) voted to adopt new requirements for how public companies manage and report cybersecurity incidents and strategy. These rules are narrow and technical in scope, pertaining solely to public companies. Below are a few key takeaways from the ruling.
Takeaways:
- Companies must report material cybersecurity incidents on Form 8-K within 4 business days of determining an incident is material. An extension of 30 days can be granted if the U.S. Attorney General determines the incident may pose a national security issue.
This disclosure requirement is designed to protect investors from the negative effects of a cybersecurity breach. Companies will have to plan ahead to develop and test their incident response and notification procedures, in order to meet the 4 business days deadline. It is also worth defining what “material” means – it is an incident that might have a significant financial or operational impact on the company.
- Any material changes or updates related to a previously reported cybersecurity incident must be disclosed in quarterly or annual reports.
Cybersecurity incidents are often very sophisticated, and investigations take weeks, sometimes longer. This requirement ensures that companies will disclose details discovered after the initial disclosure.
- Companies must describe their policies and procedures for identifying and managing cybersecurity risks in their annual report.
This includes topics like risk assessments, service provider oversight, incident response plans, and the impact of risks on strategy and business planning.
Companies can still rely on service providers to manage their internal cybersecurity practices and programs; this requirement aims to ensure that companies have defined risk management strategies.
- Companies must describe the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing risks in the annual report.
This requirement solidifies the board of directors’ oversight and responsibility for risks stemming from cybersecurity threats. Through this requirement, the SEC hopes to seek out cyber expertise for companies’ board of directors, as right of now this role is often missing on the board and can help expedite and manage security challenges.
Effective dates:
The material incident disclosure requirements will be effective on or after December 18, 2023 (issuers meeting the definition of a “smaller reporting company” have a 180-day deferral).
Disclosures for risk management, strategy and governance would be effective for all registrants for fiscal years ending on or after December 15, 2023.
What should companies do now?
- Public companies should test and improve their incident response plans, with special attention to important notifications required by this new rule.
- Companies should also consider the “me too” effect and imagine how it could be affected by most recent incidents reported in the news. Real world incidents make a great tabletop incident response scenario.
A copy of the final rules, which will become effective 30 days following publication of the adopting release in the Federal Register, can be found here.
For more information or to discuss these matters further, please contact Pawel Wilczynski at 800.244.7444.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.