The Securities and Exchange Commission (SEC) has recently implemented regulations necessitating registrants to divulge significant cybersecurity incidents they encounter. Additionally, companies are required to annually disclose vital information regarding their cybersecurity risk management, strategy, and governance. This disclosure obligation extends to foreign private issuers, ensuring comparable transparency.
SEC Chair Gary Gensler remarked, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
The New Rule: What It Says, Who’s Responsible?
The final rule mandates companies to enhance their annual 10-K filings by incorporating comprehensive details about their cybersecurity programs.
Additionally, it imposes a mandatory and expedited reporting requirement through Form 8-K for material cybersecurity incidents to the SEC. Companies must submit these reports within four days of determining the incident’s materiality.
In the context of the rule, a cyber incident refers to an unauthorized occurrence or a related series on or through a registrant’s information systems, posing a threat to the confidentiality, integrity, or availability of the information systems or any data stored therein.
The rule outlines provisions for extensions if the US Attorney General deems immediate disclosure to present a substantial risk to national security or public safety.
What To Do?
Take decisive action now that you have a clear understanding of the applicable dates and recommended steps. Consider the following in the short term:
- Quarterly And Annual Report Considerations: In 2024, organizations are required to issue disclosures encompassing cybersecurity risk management and governance in place as of December 31, 2023. This involves detailing the processes and methodologies employed to determine materiality.
- Continuous Monitoring Considerations: Commencing on December 18, 2023, organizations should initiate monitoring for cyber incidents and materiality. This proactive approach ensures readiness for immediate reporting requirements concerning material cybersecurity incidents.
In essence, time is of the essence. Organizations need to proactively implement the necessary processes and technologies to support effective cybersecurity disclosures by December 31. This entails assessing gaps, establishing and integrating disclosure processes, enhancing capabilities, updating risk quantification and incident management procedures, engaging the board, and more. Immediate action is paramount, as the timeline may be shorter than anticipated.
Why Is It Important?
This holds significance as the new rules bring about a substantial expansion in the annual disclosures made by registrants. This expansion ensures that investors and other stakeholders receive more standardized and detailed information regarding a registrant’s cybersecurity risk management, strategy, and governance. The reporting of material cybersecurity incidents is now mandated to include more specific details and may necessitate quicker reporting than what registrants have traditionally followed. This, in turn, calls for adjustments to existing systems, processes, and controls to align with the revised disclosure requirements.
When Do These Rules Come Into Effect?
The rules concerning cybersecurity risk management became effective on September 5. However, the section related to incident reporting will only be implemented on December 18, 2023, for larger publicly traded companies. Smaller businesses have a 180-day grace period after the December 18th deadline to commence incident reporting.
The Controversial Burden
While the new rules’ intentions are commendable, a debate persists regarding the potential burden they might impose on publicly traded companies. Consider the following points:
Reporting Timelines: The rules mandate disclosure of material cybersecurity incidents on Form 8-K within four business days. While timely disclosure is crucial, some companies may struggle to assess incident materiality accurately within such a short timeframe.
Delayed Disclosure: The rules allow delayed disclosure if the U.S. Attorney General deems immediate disclosure a risk to national security or public safety. This provision raises concerns about potential delayed transparency and its impact on investor trust.
Annual Disclosure: The annual requirement to disclose cybersecurity risk management, strategy, and governance information may pose a reporting burden, especially for companies with limited resources or complex cybersecurity environments.
Foreign Private Issuers: Foreign private issuers face comparable disclosure requirements, raising challenges related to cross-border regulations, varying cybersecurity standards, and potential differences in the cybersecurity threat landscape.
Structured Data Requirements: The need to tag disclosures in Inline XBRL (A document that is both human-readable and machine-readable) adds an additional layer of compliance for companies to navigate.
The regulatory authorities have not yet announced specific sanctions for non-compliance, but they are likely to influence early adoption.
The Securities and Exchange Commission’s recent implementation of cybersecurity regulations marks a significant stride towards enhancing transparency and standardizing disclosures in the corporate landscape. The rules, effective from September 5, 2023, compel companies to elevate their cybersecurity reporting, not only in annual filings but also through expedited Form 8-K submissions for material incidents.
As companies gear up for compliance, the debate surrounding potential burdens persists. So, it is crucial to partner up with a better technology provider like Ionixx, who can help to stay compliant with the regulatory changes, to navigate the challenges in the present legacy systems. We make this possible with our robust OMS software, which stands as a resilient trading system software, streamlining trading activities among stakeholders through a highly adaptable trade workflow. It offers extensive configurability in terms of data management, documentation, and reporting, providing a comprehensive solution for efficient and seamless trading operations. Contact us today.