By Janel Schalk | Trace3 Advisory CISO
The SEC's cybersecurity disclosure rules, adopted in July 2023, require public companies to be more transparent about their cybersecurity risks and incidents. The SEC considers a cybersecurity incident to be “a series of related unauthorized occurrences that jeopardizes the confidentiality, integrity, or availability of information systems or any information residing therein.”
Companies (referred interchangeably as registrants) must report material cybersecurity incidents within four business days of determining their materiality. Materiality is determined by assessing the incident’s impact and if there is a substantial likelihood that a reasonable investor would consider it important, or it the incident would have significantly altered the “total mix” of information made available.
Disclosures must describe the nature, scope, and timing of the incident combined with the material impact or reasonably likely material impact on the company’s finances and operations. Disclosures are submitted through Form 8-K filing. It’s important to keep in mind that this form’s contents will be publicly available to investors and to the SEC.
Companies must also include annual disclosures in their Form 10-K regarding cybersecurity risk management and strategy.
Four days is not a lot of time, but keep in mind the clock starts not from the breach itself but from when you have confirmed or are reasonably confident of the breach occurring. The breach may have occurred six months in the past but just discovered or the materiality has just been determined.
You do not have to report every incident or breach, either. The scope is what matters in terms of reporting. If you had a breach six months ago that you were aware of but did not find that finances or ability to operate were impacted, or that your clients were impacted, you are not obligated to report it. If you then learn six months later that one of those things does in fact apply, that is when the four-day window begins.
Determining materiality is not the sole responsibility of any one person, but rather a team with defined processes. In order to determine materiality you should:
Have an organized process that includes the right individuals:
Include CISO, CIO, CTO, CFO, and legal teams, including General Counsel
outline the responsibilities of each individual and functional team
Determine how to share functional knowledge to bridge disciplines
Determine materiality based on the SEC’s definition:
Determine what a reasonable investor would consider material, what qualitative factors are most relevant to them, and what mechanisms do you have to evaluate impact
Identify information needed to make a materiality judgement and how to align different elements that must be considered together, and what information are needed to disclose the nature, timing, and scope along with the impact, while also defining rules of engagement for outside legal counsel.
Prepare necessary documentation, even if the incident is deemed not material:
The processes taken to determine materiality
Who was involved in determining materiality
The conclusion of materiality reached, including the basis for that conclusion
Have this stored indefinitely in case it’s requested by the SEC, even if you do not ultimately find it was of material impact, as
Form 8-K provides investors with timely notification of significant changes at listed companies.
The SEC requires companies to file an 8-K to announce significant events relevant to shareholders. Companies have four business days to file an 8-K for most specified items.
Form 8-K item 1.05 specifically requires disclosure of the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely impact of the company, including their financial condition and results of operation.
Form 8-K item 1.05 does not require specific or technical information on the planned response to the incident or the cybersecurity systems, devices, vulnerabilities, or configurations in detail if it impedes the response or remediation of the incident.
Regulation S-K Item 106 requires registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, and whether any risks from cybersecurity threats, including any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company.
Item 106 also requires companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
8-K S-K Item 1.05 requires disclosure of the following specifically:
A brief description of the nature and scope of the incident
Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose
The effect of the incident on the registrant’s operations
Whether the registrant has remediated or is currently remediating the incident
Do not include specific, technical information about the registrant’s planned response or the cybersecurity systems including related networks, devices, or vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
Registrants must determine materiality “as soon as reasonably practical after discovery of the incident” and should not further delay to prolong the filing date requirements of four days.
When the incident was discovered and whether it is ongoing was originally proposed as a required element but has been removed and is not necessary for disclosure on form 1.05.
Additional noteworthy items:
Item 1.05 was added, in part, due to investors feeling the previous level of disclosure was inadequate to meet investor needs, and that by adding 1.05 they would be provided with decision-useful information regarding their investments.
Exceptions to the four-day requirement can be granted by the Attorney General should the registrant appeal for delay due to a substantial risk to national security or public safety.
Registrants must provide disclosures regarding cybersecurity incidents on third-party systems if it is deemed material to the registrant’s business. This is due to the irrelevance to a reasonable investor of where electronic systems or data reside or who owns them when considering the incident’s impact on the registrant.
Many comments were received and reviewed as part of the SEC’s formalizing Item 1.05, including a large number expressing concerns over various disclosure requirements and timing requirements, however 1.05 is finalized and in force at this time.
If all required items called for in Item 1.05(a) are not determined or are unavailable at the time of filing, an amendment must be filed within four business days of the information then becoming available.
Processes for assessing and managing cybersecurity risks: Describing how the company identifies, analyzes, and prioritizes cybersecurity threats.
Material effects of cybersecurity risks: Explaining the potential financial and operational impacts of cyber threats.
Cybersecurity governance: Detailing the board of directors' and management's oversight of cybersecurity risks.
If an incident was previously disclosed on Form 8-K Item 1.05, then item 106(d) of Regulations S-K would require “any material changes, additions, or updates” on the quarterly 10-Q or annual 10-K in addition to those items required on Item 1.05.
Item 106(b) disclosures must contain, as applicable:
Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes
Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes
Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider
This is a non-exclusive list of disclosures, as registrants should additionally disclose whatever information is necessary for a reasonable investor to understand their cybersecurity processes.
Item 106(c) requires registrants to describe the board’s oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or sub committee responsible for such oversight.
Item 106(c) also requires describing the processes by which the management or committees are informed about material risks from cybersecurity threats, the relevant expertise of management for these tasks, the process of informing the management or committees about cybersecurity incidents prevention, detection, mitigation, and remediation, and whether they then report information about such risks to the board.
Key elements that are not required on Item 106(c):
Registrants do not need to disclose what third parties are used nor a description of the services provided by third parties, however the registrant may choose to disclose this.
Registrants do not need to disclose risk quantification, or results of independent assessments and audits, nor do they have to distinguish between continuous and periodic risk assessments.
Registrants do not need to include proxy statements
Registrants do not need to disclose how often board members or committees meet to discuss cybersecurity, nor whether the board integrates cybersecurity into its business strategy, risk management, and/or financial oversight.
Our extensive line of security and networking services include executive services, governance, risk, and compliance (GRC) services, foundational and advanced networking services, data protection services, zero trust services, email and endpoint services, data protection, storage, backup, and recovery services, identity and access management services, secure development services, observability and visibility services, offensive security services, and incident preparedness and response services.
Let us help you create or review and update your incident plans and playbooks, test their efficacy with tabletop exercises specifically tailored to operational or executive audiences, and be your incident partner with our response services. We’re ready to help you govern, identify, detect, protect, respond, and recovery from incidents.