Update on the SEC’s New Cybersecurity Rules: Insights and Outlook

Introduction

It’s been several months since the U.S. Securities and Exchange Commission (SEC) approved the final rules governing cybersecurity disclosures on July 26, 2023. For risk management, strategy, and governance disclosure requirements, companies are required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, while compliance with incident disclosure requirements commenced from December 18, 2023. 

So what’s been happening since the new rules were introduced? We bring you a high-level summary of what’s been going on to date, including: 

• The recent form 8-K filings and 10-K disclosures 
• Defining materiality according to the new rules 
• Balancing competing risks during disclosures

Form 8-K filings: Few Companies Have Filed till Date

Six companies have filed incident disclosure requirements so far, with three of these companies additionally amending their initial Form 8-K filings to offer further insights into subsequent events. Companies that have filed include footwear maker VF Corp, insurer First American, and tech giants Microsoft and Hewlett Packard Enterprise (HPE). 

An interesting observation is that both Microsoft and HPE indicated they were filing the disclosures voluntarily since they weren’t aware of a material impact from the attacks. Microsoft submitted an 8-K filing on January 19, 2024, to the SEC, disclosing that Nobelium, a Russian hacking group, had gained access to its top executives' email accounts, specifically targeting those in its cybersecurity and legal departments. According to Microsoft’s notice, the Russian hackers used permissions attached to a hacked account to access corporate email accounts, “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” 

The above 8-K filings reiterate the importance of building a strong foundation of cyber resilience where an effective response plan is matched with a detailed cyber governance, risk, and compliance (cyber GRC) program. This will enable efficient and agile response as mandated by the new rules.

How are Organizations Dealing with the Materiality Definition?

The SEC's final cybersecurity rules require filing an 8-K only when materiality is determined, rather than upon incident detection. However, such determinations must be made promptly "after discovery of the incident," without unreasonable delay. This implies that organizations must assess materiality based on both current and anticipated future impacts. Moreover, the rules specify that determinations cannot wait for future impacts to manifest. 

While defining the materiality of a risk event, the analysis should take into account qualitative and quantitative factors in assessing materiality. 

In a recent webinar I hosted, Brian Fricke, CISSP, CISM, CISO, and City National Bank Florida, dove into what “material” means. He listed a few examples of quantitative and qualitative factors that companies should consider when assessing the materiality of a cyber incident.

Examples of qualitative factors to consider when assessing the materiality of a cyber incident 

• Impact on financial condition or results of operations 
• Expenses for incident response and remediation 
• Costs of potential regulatory or legal proceedings as a result of the incident 
• Impact on the company’s assets

Examples of quantitative factors to consider when assessing the materiality of a cyber incident 

• Harm to a company’s reputation, customer or vendor relationships, or competitiveness resulting from the incident (termination or material breach of a material contract) 
• Impact on a company’s previously announced business plans or trends 
• Nature and scope of the attack and unauthorized access to or misappropriation of information 
• Duration of the incident and company response time 
• The company’s ability to restore affected systems and data 
• The company’s ability to resume normal operations after an incident 
• Third-party risk (performance, breaches, reputation, etc.)

Watch the webinar for more insights on how to manage cyber risk in a mature, effective way: Navigating the Future of IT Risk and Compliance

Form 10-K Disclosures: Companies Need to Balance Competing Risks

Starting from fiscal years ending on or after December 15, 2023, public companies will need to comply with updated cybersecurity disclosure regulations in their Annual Reports on Form 10-K. Meeting these requirements pose a challenge for companies as they must strike a balance between disclosing enough information to comply with regulations and safeguarding against potential risks. Over-disclosure could expose the company to threats from malicious entities seeking to exploit vulnerabilities or defensive strategies. 

However, it remains crucial for companies to provide accurate disclosures that align with the SEC cybersecurity rules, particularly given the ongoing enforcement proceedings involving SolarWinds Corp by the SEC. The SolarWinds enforcement case marks a significant development in two aspects. Firstly, the SEC alleges intentional deception in cybersecurity disclosures by a company, departing from previous cases where negligence was cited. Secondly, it represents the first instance where the SEC has pursued individual enforcement action against a corporate officer in a cybersecurity disclosure matter. 

Both Clorox and Johnson Controls, having recently experienced ransomware attacks, have submitted filings to the SEC detailing the costs incurred from operational disruptions and financial losses stemming from cyber-related incidents. Although it remains uncertain whether these filings directly comply with this rule, particularly considering the timing of the attacks, they underscore the growing tendency towards more frequent and comprehensive disclosures. More importantly, it reflects an increasing acknowledgment of cybersecurity incidents as material risks capable of impacting both financial performance and operational continuity.

Achieve Compliance with MetricStream CyberGRC

With an increase in cyber risk and regulatory efforts globally, not just the U.S., it becomes imperative for organizations across diverse sectors and industries to build cyber resilience that can not only ensure compliance but optimize cybersecurity processes and improve efficiencies. 

MetricStream’s CyberGRC solution can help you streamline your cyber risk management program and achieve compliance with the SEC’s new cybersecurity rules. Read our blog for a comprehensive mapping of how we can help you achieve compliance with the various aspects mandated by the SEC Rules, including: 

• Establishing consistent procedures for incident documenting, analyzing, and remediating till closure 
• Maintaining a single source of truth for incident lifecycle for quick and efficient reporting 
• Assessing and managing IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST
• Generating comprehensive reports providing in-depth visibility into the overall security posture and insights into risks, compliance, and performance of third-party vendors 
• Implementing an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes

Interested to know more? Request a personalized demo.

Download eBook: Overview of SEC Cyber Disclosure Rules 2023

Read blog: Achieve Compliance with SEC’s New Cybersecurity Rules

View Infographic: SEC’s New Cybersecurity Rules 2023: Top FAQs Answered