SEC final rules: cybersecurity in focus

Cybersecurity threats and incidents continue to pose significant risks to public companies, investors, and market participants globally. The cost of these incidents to companies and investors continues to grow. In order to improve and standardize disclosures by public companies of cybersecurity risk management, cybersecurity strategy, governance, and material cybersecurity incidents, the U.S. Securities and Exchange Commission (SEC) proposed and adopted new rules.

 

On July 26, 2023, the SEC adopted the final rules “Cybersecurity Risk Management, Strategy,Governance, and Incident Disclosure” to standardize and enhance disclosures for cybersecurity incidents and risk management processes.

Eliza Davies

An article from

Eliza Davies
Cyber Security and Risk Management Consultant
Published
April 23, 2024
Updated
Reading time
minutes
SEC final rules - C-Risk

What is the SEC?

The SEC is an independent United States federal regulatory agency founded in 1934 and responsible for protecting investors, maintaining fair and orderly functioning of the securities markets, and facilitating capital formation. Federal agencies, in general, are part of the executive branch of government.
These agencies are mandated by Congress
to
issue
regulations based on laws
enacted
by Congress. The process of publishing new regulations is called “rule making”.

Disclosure rules on cybersecurity

The SEC publishes final rules to clarify the interpretation of federal legislation and how laws are to be implemented. The agency can also define requirements and prohibitions, as well as publish guidance or other policy statements.

 

The final rules published in July 2023 on cybersecurity disclosures were effective from September 5, 2023. Publicly traded companies in the U.S. must now make cybersecurity risk management, strategy and governance disclosures to the SEC beginning with their annual reports for the fiscal year ending on or after December 15, 2023. And for material cybersecurity incident disclosure requirements in Item 1.05 of Form 8-K, companies must begin complying on December 18, 2023.

 

Companies that qualify as “smaller reporting companies” are given an additional 180 days to begin reporting Item 1.05 on Form 8-K. These smaller reporting companies will begin disclosing material cyber incidents starting June 15, 2024.

The final rules also include reporting and disclosure requirements for Foreign Private Issuers (FPIs). These include Form 20-F for annual reports and Form 6-K for current reports. FPIs are regulated differently and have requirements related to their home country and their reporting requirements.

SEC final rules: cybersecurity in focus

Regulatory compliance is only the first step to digital operational resilience

C-Risk can help you effectively communicate the financial and operational impact of cyber risks, ensuring strategic resource allocation that aligns with your business objectives.

Determinations of materiality

The action of disclosing a cyber incident to the SEC using Form 8-K Item 1.05 is a question of materiality. What is material according to the SEC? The concept of materiality is foundational to American securities law.

 

Practically speaking there is no simple answer. There is no prescriptive definition that says whether something is material. The SEC has continually stated that for the purposes of disclosure, materiality should be interpreted consistent with applicable case law.

 

One interpretation from the U.S. Supreme Court, in its decision from the 1976 case TSC Industries v. Northway, Inc., held that a fact is material if there is “a substantial likelihood that the ... fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

 

The above example is covered in the SEC Staff Accounting Bulletin: No. 99 – Materiality published in 1999. The bulletin elaborates on questions assessing materiality and misstatements on financial statements. One of the questions address whether a quantitative threshold can be applied to determine if something is material to financial statements. The response from the SEC is that, while “rules of thumb”can be useful, the reliance on a specific percentage or numerical threshold has no basis in the accounting literature or current legislation.

In general, companies must consider both "quantitative" and "qualitative" factors in assessing materiality. They make up the “‘total mix’ of information.”

 

Facilitate informed decisions for investors

Investors, like any company, need to understand the risks associated with a decision at hand. The final rules are about helping investor make informed decisions. They are also intended to benefit companies and the market more broadly by forcing companies to take a closer look at their cybersecurity governance and risk management processes.

 

When speaking about the new rules, SEC Chair Gary Gensler said that while many public companies already provide cybersecurity disclosures to investors, everyone would benefit from a standardized process. The new cybersecurity disclosures help investors assess risks to their investments just as they do with other risk disclosures.

The new rules are intended to provide investors with “timely, consistent, comparable, and decision-useful information they need to make informed investment and voting decisions.

Qualitative and quantitative methods

When used alone, both qualitative and quantitative risk management methods have their limitations. Factors such as cognitive biases, inconsistencies, lack of context, and overconfidence can hinder effective communication and decision-making regarding investments and security.

 

Regulators are advocating for stronger corporate governance when it comes to cyber risk. Implementing a risk-based, data-driven approach can provide evidence to regulators and investors that your company has a sound decision-making process.

 

By combining qualitative and quantitative risk management methods, your company can achieve more than just regulatory compliance. The FAIR framework offers a transparent, repeatable method for quantifying cyber and technology risk in financial terms. Cyber Risk Quantification (CRQ) can be integrated into your risk management process, regardless of your company's maturity level. This allows for the evaluation of security decisions in business terms, prioritization of investments based on control capabilities, and increased productivity.

C-Risk’s team of FAIR-certified cybersecurity and risk management consultants are ready to help your company achieve more than just regulatory compliance. Contact us today to learn how we can help you quantify cyber and technology risk in financial terms and increase productivity.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.