New SEC cyber disclosure rules take effect

Companies now need to disclose on risk management, strategy and governance procedures – and on material cyber incidents by December 18.

This July, the SEC voted to adopt final rules on cybersecurity disclosure. As of December 15, companies need to disclose their cyber-risk management, strategy and governance procedures – and then disclose any material cyber incidents by December 18 – under those rules. (Smaller reporting companies have a 180-day deferral.) It all provides another reason why we can say “time flies in December!”

Rules recap

In a 3-to-2 vote, the SEC adopted rules that require, in annual 10-K filings, that companies add details describing their cyber program.

The rules also require mandatory and speedier filing of Form 8-K for reporting material cybersecurity incidents to the SEC when they occur – within four days of determining that an incident is material. In the rules, “cyber incident” means an unauthorized occurrence (or series of related occurrences) on or conducted through a registrant’s information system that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

The rule provides for a series of extensions if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors, the SEC says.

When businesses report “material” cybersecurity incidents on a Form 8-K within those four business days of a materiality determination, they must do the following:

  • describe the nature, scope, and timing of the incident;
  • describe the material impact or reasonably likely material impact on the registrant; and
  • to the extent required information is not determined or is unavailable at the time of the filing, the 8-K should disclose this fact, and the 8-K should be later amended when the information is determined or becomes available.

Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors, the SEC says.

Erik Gerding speaks

Yesterday, the SEC released Erik Gerding’s prepared remarks about the new cyber disclosure requirements to highlight some significant parts of the rationale and mechanics of the rules and clear up potential misconceptions. Gerding is the director of the SEC’s Division of Corporation Finance; he said he was not speaking on behalf of the SEC or the Division of Corporation Finance in offering these explanations.

Among other things, he referred to the “disclose in four days” requirement, saying that timing is consistent with the reporting of other events the SEC requires be reported on a Form 8-K, such as entry into or termination of a definitive material agreement or a bankruptcy.

And he referred to questions his agency received about the new rules as to whether companies consulting with the DOJ (such as the FBI and the Cybersecurity & Infrastructure Security Agency) about a cybersecurity incident automatically means that that incident must be material. 

The short answer is that it doesn’t mean that necessarily, as the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors.

Meeting new challenges

With the new rule, the SEC puts the burden on companies to give investors current, consistent and useful information about how they are managing their cyber risks.

Businesses must be ready to issues these disclosures regarding their cyber risk management, strategy, and governance processes; have policies and procedures and timeframes (and clearly delineated roles) established; new oversight processes created for when disclosures must be updated; and testing processes to ensure the rule’s requirements are being met.

One of the most important elements is ensuring the business has controls and procedures in place to escalate necessary items for determination of whether disclosures are required in the first place. This means having a true understanding of what is “material,” and access to the expertise to make that judgment call by people who grasp cybersecurity issues well, but understand the business, its data and its stakeholders.

A well-crafted and well-trained incident response team will be able to identity the business risks and material impact to determine if the business needs to report and disclose the incident.