This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.

What Happened

On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.

What’s Required

Taken together, notwithstanding certain refinements described below, this development occasions a significant expansion of disclosure of a company’s cybersecurity posture to external stakeholders. New requirements include:

  • Current reporting about material cybersecurity incidents. Key requirements include:
    • Determination “without unreasonable delay.” A materiality determination must be made “without unreasonable delay” after discovery of cyber incident.
    • 8-K filing four business days absent U.S. Attorney General determination. Registrants must file an 8-K four business days after determination, absent a determination made by the U.S. Attorney General that disclosure would pose a substantial national security/public safety risk.
    • Content of disclosure. 8-Ks must disclosure: material aspects of the incident’s
      • Nature, scope, and timing; and
      • Impact or reasonable likely impact
    • 8-K amendments. 8-Ks must be amended to disclose information that was not determined or available at the time of the original filing. Registrants are required to disclose new material information within four business days after the information is determined.
  • Periodic reporting on processes for assessing, identifying, and managing material risks from cybersecurity threats. Key periodic disclosure requirements include:
    • Integration of cyber risks into risk management system. Registrants must disclose whether and how cybersecurity processes have been integrated into the registrant’s overall risk management system or processes.
    • Use of cybersecurity assessors, consultants and auditors. Registrants must disclose whether they engage assessors, consultants, auditors, or other third parties in connection with any cybersecurity processes.
    • Third-party risks. Registrants must disclose whether they have processes to oversee and identify cybersecurity risks from cybersecurity threats associated with its use of any third-party service provider.
    • Impact. Registrants must also disclose whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition and if so, how.
  • Board of directors’ oversight of risks from cybersecurity threats. Registrants must also periodically:
    • Identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats.
    • Describe the processes by which the board or such committee is informed about such risks.
  • Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. Registrants must periodically disclose:
    • Whether and which management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents.
    • Relevant expertise of such persons or members (in such detail as necessary to fully describe the nature of the expertise).
    • Processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
    • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

When Requirements Go into Effect

Implementation timing is as follows:

  • Registrants must provide risk management/governance disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
  • Incident disclosure requirements must be implemented by December 18, 2023.

Note: While the final rule imposes new time-bound requirements, public companies are already required to disclose material cybersecurity incidents. The U.S. Securities & Exchange Commission (SEC) 2018 interpretive guidance on cybersecurity disclosure requirements makes it clear that public companies should have comprehensive cybersecurity policies and procedures in place with a focus on timely disclosure of material cyber risks and incidents. These measures should include:

  • Protocols to determine materiality of cyber risks and incidents.
  • As part of materiality analysis, an appropriate method of discerning the probability
    and impact of cyber risks and incidents.
  • Alignment of probability and impact to the company’s business, financial condition,
    and results of operations.

What’s the Context

The final rule reflects a number of changes that, to a certain degree, streamline requirements originally included in the proposed rule. These changes include:

  • Limited delay provision. Whereas the proposed rule contained no delayed notification provision, the final rule permits limited delays for incidents that the U.S. Attorney General determines could pose a substantial risk to national security or public safety.
  • Incident notification detail. The final rule focuses disclosure requirements primarily on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.
  • Upleveling of risk management details. The final rule dropped proposed paragraphs that would have required disclosures on prevention and detection activities, continuity and recovery plans, and previous incidents.
  • No requirement to disclose board cyber expertise. The final rule also dropped an NPRM requirement to disclose cyber expertise of individual board of directors’ members.
  • Incident disclosure analysis: “materiality” not limited to financial impact. The Commission declined to limit materiality determinations to quantifiable financial impacts. “A lack of quantifiable harm does not necessarily mean an incident is not material,” noted the SEC, which cited reputational harm as a non-quantifiable factor that should lead to incident disclosure if the reputational harm is material.

Wells Notice & Enforcement Actions

Failure to adequately implement these requirements can result in SEC enforcement actions directed both at the company as well as officers and directors.

On June 23, SolarWinds filed an 8-K disclosing that its CISO and Chief Financial Officer had received “Wells Notices” from the SEC in connection with the company’s highly publicized 2020 cybersecurity incident. According to SolarWinds, the Wells Notices each “state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”

What To Do About It

Public companies should not only start planning now for how to comply with these new SEC provisions, but they should do so from the lens of a hypothetical post-incident SEC inquiry that will examine whether the extent and timeliness of disclosures reasonably reflected what was actually occurring inside the company. Here are five steps companies can take to prepare for the new requirements:

  1. Treat cybersecurity as an enterprise risk: Understand your business profile and high value assets. In the MITRE Corporation’s “11 Strategies of a World Class Security Operations Center,” the very first strategy (Strategy 1) is to “Know What You Are Protecting and Why.” Put another way, a starting point for effective cybersecurity is understanding the inherent risk facing an organization – that is, the likely threats, complexity and impacts facing the business before mitigations have been put in place. Organizations should categorize high value assets, or the key technology systems most important to operating and defending the business. Impact to “crown jewel” assets is specifically called out as a materiality factor in the final rule, and these steps are foundational for classifying incidents as “material” because they help frame potential impacts to the business. For the same reason, ensure an understanding of potential cybersecurity-related legal risks (in cooperation with the General Counsel and outside counsel).
  2. Update incident response and crisis management plans for the new SEC requirements and exercise internal processes for responding to a cybersecurity incident. Doing so validates that management and boards understand their responsibilities in a crisis, and thereby helps ensure that SEC disclosures and updates will be timely and accurate. A wild card factor in all incidents is the potential that an adversary will publicly disclose an incident to incentivize extortion payments – companies need to consider how such contingencies will influence public disclosures. They also need to consider how briefings to key customers and partners compare the public disclosures. To be clear, the final rule acknowledges that companies will need to share operational information to mitigate threats, and it includes an Instruction that a “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.” That said, companies should consider how disclosures around potentially material impact compare to non-public discussions.
  3. A corollary step is implementing response-oriented engineering, whereby asset visibility and logging strategies are implemented to streamline the process for understanding and thereby containing incidents when they do occur. This helps an organization more rapidly understand the extent of an adversary’s access.
  4. Review the company’s governance framework both for management and the board. While the final rule does not require disclosures around specific measures for measuring and managing cybersecurity risk, it does require disclosure around which management positions are responsible for this, what processes are used, relevant professional qualifications, as well as related processes used to inform the board of directors about such risks. Because of specific call-outs in the rule, management should also validate whether the company is using outside cybersecurity assessors, consultants and auditors, and managing third-party vendor risk.
  5. Consider how effectiveness will be evaluated. As noted above, the SEC expects characterizations of processes used to measure and manage risk, as well as how assessors, consultants and auditors are used in support of these activities. Validating that cybersecurity measures are operationally effective in defending against likely threat activity is also key to ensuring accuracy and timeliness of the reporting referenced in the final rule.