On July 26, the SEC voted 3-2 to adopt new rules which would require several new cybersecurity disclosures from publicly traded companies. Here’s what cybersecurity leaders need to know.
The U.S. Securities and Exchange Commission adopted new rules requiring publicly traded companies to submit a variety of disclosures regarding their cybersecurity and risk management processes, board oversight and cyber incidents.
SEC Chair Gary Gensler said in a prepared statement: “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Tenable has created this list of frequently asked questions (FAQ) to inform cybersecurity leaders about the new rules. This blog is informational in nature and is not intended to replace the guidance of your organization's legal and governance teams.
What action has the SEC taken regarding cybersecurity disclosures?
On July 26, the SEC voted 3-2 to adopt new rules which would require new cybersecurity disclosures from publicly traded companies.
Which companies are affected?
The rules affect all publicly traded companies in the U.S. The rules also include like disclosure requirements for foreign private issuers.
What types of cybersecurity disclosures are required under the new rules?
Public companies are required to: describe their processes for assessing, identifying, and managing material risks from cybersecurity threats; submit an annual report on their cybersecurity risk management strategy and governance; and disclose the cyber expertise of the organization’s management team. Public companies also will be required to disclose “material” cybersecurity breaches within four days of determining an incident was “material.” This would include related unauthorized occurrences that become material in the aggregate.
What aspects of their risk management processes will organizations need to describe?
The rule requires public companies to describe and make public their processes for assessing, identifying, and managing material risks from cybersecurity threats, including (but not limited to):
- whether and how the described cybersecurity processes have been integrated into the organization’s overall risk management system or processes;
- whether the organization engages assessors, consultants, auditors, or other third parties in connection with any such processes;
- whether the organization has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider;
- any risks from cybersecurity threats, including from previous incidents, that have materially affected the organization; and
- any other material information.
What is required of an organization’s board of directors under the new rules?
Public companies are required to describe the board’s oversight of risks from cybersecurity threats and describe the processes by which the board of directors is informed of the risks. Registrants must also describe management’s role in assessing and managing material risks from cybersecurity threats.
What aspects of a cyber incident will organizations need to disclose?
Organizations are required to report any cybersecurity incident (or related incidents) they determine to be material within four days of making their materiality determination and to describe the material aspects of the incident's nature, scope and timing, as well as its material impact, or reasonable likelihood of material impact, on the company. The disclosure should focus on the material risk an incident poses to the organization, rather than disclosing the technical details of the incident. The rule allows the registrant to delay disclosure for up to 30 days or longer if the U.S. Attorney General determines the disclosure would pose a substantial risk to national security or public safety.
When do the new rules take effect?
The final rules will become effective 30 days following their publication in the Federal Register. Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.
What will cybersecurity leaders need to do to prepare?
Cybersecurity leaders will need to review their exposure management efforts and their ability to provide clear concise communication of those efforts to senior management. They’ll need to coordinate closely with their organization’s executive leadership general counsel and investor relations teams to understand what cyber risk data and metrics will be required to create documents for submission to the SEC. They’ll also need to identify and address any gaps in their current cybersecurity strategy to meet the new disclosure requirements.
What is the potential impact of these new rules on investor confidence?
Just as investors and stock analysts form judgments based on income statements and balance sheets, they now may use cybersecurity disclosures to form judgments of an organization’s investment potential based on its preventive cybersecurity efforts. The rules elevate cybersecurity to the same status as other risk management efforts taken by an organization, such as exchange rates, interest rates, geopolitical factors and environmental issues.
What are the consequences to companies that fail to comply?
Consequences for failure to comply with SEC disclosure requirements (including the new cyber rules) can range from administrative actions, such as cease and desist orders and revocation or suspension of registration, to civil fines or even criminal action. For example, last month the SEC sent a Wells notice to a number of SolarWinds executives, including the CISO, two-and-a-half years after the SolarWinds breach. According to the Washington Post, Wells notices notify recipients of the SEC’s possible intent to bring charges against them. This action could demonstrate a move to hold individuals liable for corporate cybersecurity failures.
Learn more
- Read the LinkedIn post by Tenable Chairman and CEO Amit Yoran here
- View the blog, The Era of Responsible Cybersecurity Finally Arrives