What You Need to Know About the New SEC Cybersecurity Reporting Rules

The Securities and Exchange Commission (SEC) recently adopted new rules that mandated all covered organizations to report identified security incidents and include reporting of internal cybersecurity practices, processes, and governance.

Is your organization ready to inform the public what you do to protect your organization from cybersecurity threats?

If you are a covered organization and haven’t formalized a security policy, you may be at risk.

The Legislation

On July 26, the SEC issued a rule[1] defining the importance of cybersecurity and governance within organizations.

The purpose of this rule is to ensure any potential investor is fully aware of any material risks to an organization with regard to the cybersecurity health and risk management operations of the organization.

This report coincided with requirements established by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). This act defined reporting obligations for companies in defined critical infrastructure sectors.

Once these rules are adopted by the Cybersecurity and Infrastructure Security Agency (CISA), these entities will be required to report a covered cybersecurity incident to CISA within 72 hours of initial discovery.

The SEC guidelines were designed to increase visibility to the public for any items that may materially contribute to a decision by an investor in any given organization.

As a side benefit, it is anticipated that organizations will use this reporting requirement to review their existing cybersecurity risk management practices thoroughly and to improve their overall security posture.

Basic Reporting Requirements

The basic reporting requirements are relatively straightforward. Any registrant is required to file a Form K-8 to disclose a material cybersecurity incident within 72 hours of the determination that the incident is considered material. To provide guidance on the determination of an incident being material, the SEC included the following wording under the rule:

Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or it it would have “significantly altered the ‘total mix’ of information made available.” “Doubts as to the critical nature” of the relevant information should be “resolved in the favor of those the statue is designed to protect,” namely investors.[2]

In the event of a cybersecurity incident, the registrants must disclose the nature, scope, timing, impact (or reasonably likely impact) of said event. Reporting is to be provided even if the incident is ongoing or has not been fully mitigated at the end of the mandatory reporting period.

The only exception to this requirement is in the case of potential risk to public health or security. A delay must be requested in writing from the Attorney General, who would consider if an event would pose a substantial risk to public safety and consider any other Federal or other law enforcement agencies' findings before providing a written notification allowing a delay in disclosure.

Additional Reporting Requirements

While the reporting requirements for an incident are generally well known, two additional sections are often overlooked. These may be just as critical, if not more so, than the incident reporting requirements.

Regulation S-K Item 106(b) – Risk Management and Strategy

The Regulation S-K Item 106(b) form requires organizations to describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

Regulation S-K Item 160(c)

Regulation S-K Item 160(c) requires organizations to describe the board’s oversight of risks from cybersecurity threats and describe management’s role in assessing and managing material risks from cybersecurity threats.

These two requirements require a proactive approach to cybersecurity and overall risk governance.

Better reporting leads to better governance, which leads to better risk management and protection. This focus requires organizations to increase their overall cybersecurity and risk management maturity by identifying their risks, defining their requirements, and documenting the mitigations in place. 

Preparation is Crucial

More than ever, proper preparation and governance for an organization’s cybersecurity posture is crucial.

Proper governance and implementation of a cybersecurity program reduces your risk of compromise and cybersecurity impact. It can also be a differentiator for investors comparing similar organizations.

The ideal preparation method involves the identification of a guiding framework to establish best practices, policies, and procedures for your organization, ensuring those items meet or exceed any applicable regulatory requirements.

Additionally, having proper governance in place can ensure your organization can report the correct information if an incident were to occur. Required reported items include the nature, scope, timing, and impact of the event. Proper cybersecurity hygiene and monitoring capabilities ensure these items are easily defined by an organization.

Gain Executive Support and Close Communication Gaps

Often, the most difficult part of implementing a security-focused risk management program is getting Executive Support.

It can be difficult to explain the technical issues and risks to non-technical members of the Executive staff. Similarly, explaining general business risk concepts to technical engineers is just as challenging.

Finding shared frames of reference is crucial to the discussion to help ensure understanding across all teams. Using a well-regulated security framework like CIS CSC or NIST CSF allows executive and technical staff to bridge knowledge and communication gaps.

Conclusion

The new requirements are designed to ensure a potential investor is fully aware of the cybersecurity posture of an organization, the effectiveness of governance and risk management processes, and the overall impact of cybersecurity incidents in a timely manner.

To facilitate this requirement, PacketWatch recommends focusing on implementing an overall Cybersecurity risk management and governance program. Implementing a risk management and governance program promotes collaboration and balance in addressing business and cybersecurity risks.

Resources

• [1] https://www.sec.gov/news/press-release/2023-139
• [2] https://www.sec.gov/files/rules/final/2023/33-11216.pdf

Todd Welfelt has an Information Technology career spanning more than 25 years. 

Todd has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the
needs of compliance frameworks as well as provide real-world risk reduction.

If you need help with your compliance or accreditation programs, please contact PacketWatch so we can discuss how we can help your organization meet and exceed its compliance goals.