Introduction
In response to the escalating cybersecurity risks influenced by digital technology, remote work environments, cryptocurrency, and rising cybercrimes, the Securities and Exchange Commission (SEC) on July 26, 2023, introduced a final rule mandating registrants to provide comprehensive disclosures on their cybersecurity risk management, strategies, governance, and incident reporting.
Previously, the SEC’s interpretive guidance in 2011 and 2018 clarified existing disclosure rules in the context of cybersecurity but did not impose new obligations. These guidelines emphasized the importance of cybersecurity in risk factors, management discussion and analysis (MD&A), financial statements, and the critical role of the board of directors in risk oversight.
The latest SEC rule significantly enhances disclosure requirements:
Immediate Incident Reporting: Registrants must report material cybersecurity incidents within four business days using Form 8-K, with possible delays in case of national security concerns.
Annual Disclosure Enhancements: Annual reports must include detailed information on cybersecurity risk management, the role of management, and board oversight in Form 10-K.
Inline XBRL Format: Disclosures must be presented in Inline eXtensible Business Reporting Language.
These requirements apply to all SEC filers, including foreign and domestic registrants, smaller companies, and emerging growth companies.
The final rule deviates from the proposed rule by:
Limiting the scope of incident disclosures.
Utilizing Form 8-K for incident updates instead of Forms 10-Q and 10-K.
Excluding the aggregation of immaterial incidents.
Focusing on processes rather than specific policies in risk management disclosures.
Eliminating the need to disclose board members’ cybersecurity expertise.
Reporting Material Cybersecurity Incidents
Registrants must file a Form 8-K for significant cybersecurity incidents, considering various factors like the information’s importance, attack complexity, and the nature of the data compromised.
Materiality assessment is a critical component, where registrants must objectively consider various factors including potential losses, impact on individuals, and possible litigation or regulatory investigations. The SEC underscores the importance of materiality in cybersecurity incidents, irrespective of whether the registrant owns the affected systems.
The new rule requires disclosure of:
Board and management roles in overseeing cybersecurity risks.
Cybersecurity risk management processes.
Impact of cybersecurity threats on the registrant’s strategy and operations.
Registrants must balance the need for transparency with the risk of revealing sensitive information that could expose vulnerabilities.
The final rule will be effective 30 days post its Federal Register publication, with staggered implementation dates for different types of registrants. The disclosures are mandated from specific dates in late 2023 and mid-2024.
The SEC is also considering further rulemaking in cybersecurity for advisers, funds, and other financial entities, enhancing cybersecurity policies, disclosures, and recordkeeping requirements.
Conclusion
It is expected that the final rule will go a long way towards enhancing cybersecurity transparency as well as investor protection. It highlights prompt occurrence report, yearly expositive release, and thorough management demonstrating a great significance of cybercrime in economy and banking business. These changes have the potential to be critical; therefore, at Prancer.io, we understand the need of the clients to cope with the new regulatory landscape.