If you had the U.S. Securities and Exchange Commission on your bingo card for shaking up the cybersecurity sector this year, congratulations! Through its new cybersecurity disclosure requirements, which took effect Tuesday, the SEC is the latest federal agency putting a spotlight on U.S. companies’ cybersecurity practices and pushing boards and executive management teams to place a greater focus on their cyber risk management.
What are the new SEC cybersecurity disclosure requirements?
Under the new disclosure requirements, U.S. public companies must file a Form 8-K disclosing the impact of material cyber incidents within four days of a company’s determination of the materiality of the cyber incident. The Form 8-K disclosure must include the nature, scope and timing of the incident as well as the material impact of the incident. The SEC did provide some exceptions to its incident reporting rules, including in cases where disclosure poses a substantial risk to national security or public safety.
In addition, U.S. public companies are now required in their Form 10-K annual filing to disclose: (i) their processes for assessing, identifying and managing material risks from cybersecurity threats; (ii) risks from cybersecurity threats that have (or are reasonably likely) to materially affect the company; and (iii) the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Cybersecurity governance is coming under increased scrutiny, though the SEC ultimately scrapped a draft provision that would have made public companies disclose board members’ cybersecurity expertise.
Why have the new SEC cybersecurity disclosure requirements?
Prior SEC rules and guidance already covered cybersecurity disclosure, but the SEC viewed these as being inadequate and needing an update for two key reasons. First, the prior policies resulted in inconsistent disclosure practices across issuers, making it difficult for investors to assess a company’s cyber risk and, worse yet, was likely leading public companies to underreport cybersecurity incidents. Second, the SEC recognized the exponential rise in the cost and adverse impact of cybersecurity incidents on public companies and the economy more generally, which in turn fueled the need for more timely and standardized cybersecurity disclosures for the investing public.
What is the anticipated impact of these disclosure requirements on companies?
First, the role of the CISO, CIO and the cybersecurity function will be further elevated within public companies. These teams will be pushed into even more discussions with disclosure committees, executive management and potentially the board about their work detecting cybersecurity incidents, remediating vulnerabilities and their views on the materiality of cyber risks in order to meet these new requirements. Some public companies will be faced with investing additional resources to strengthen their cybersecurity function to meet these new challenges.
Second, companies are even more incentivized to beef up their cybersecurity defenses as preventing cybersecurity incidents has never been more imperative for public company management and boards. Security incidents will need to be scrutinized for materiality (and therefore needing to be disclosed). The resulting disclosures will bring additional scrutiny from investors, media, regulators and malicious actors, presenting an array of potential challenges. Organizations will be less likely to tolerate certain cyber risks, especially those that know they’ll have to report their biggest failures in a Form 8-K for all to see. This is supported by Moody’s view that these SEC disclosure changes will be a credit positive action, partly because the rule could spur investment in better cyber defenses.
Third, while the new disclosure reporting requirements apply to public companies only, the expanded disclosure of cybersecurity programs by public companies could create a baseline that other companies (foreign companies, private companies aspiring for public status) and public organizations not subject to these reporting requirements will still seek to emulate. “Why aren’t we doing it that way?” may become a common refrain in corner offices around the country.
What other regulatory changes are on the horizon?
Some organizations in the financial sector may face even tighter SEC cybersecurity oversight, as the agency prepares to issue a separate set of cyber risk management requirements for registered investment advisers and investment companies. The SEC is scheduled to finalize those reporting, governance and disclosure rules next month.
All of these new SEC requirements aren’t taking effect in a vacuum. Rather, they are just one part of the Biden administration’s efforts to strengthen U.S. cyber defenses and spur greater investment in cybersecurity. In March, the White House unveiled its National Cybersecurity Strategy with a goal to “shape market forces to drive security and resilience.” Based on these actions, it is clear the U.S. government is wanting much more cybersecurity transparency and action from both the private and public sectors. Expect other U.S. regulators to follow the SEC’s lead in pushing U.S. companies to take a good, hard look at how they manage cyber risks.