SEC Issues Final Rule on Cybersecurity Risk Management and Incident Disclosure

In a significant development for the business and cybersecurity communities, the U.S. Securities and Exchange Commission (SEC) has announced the finalization of the long-awaited rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The SEC's aim with this rule is to enhance transparency and encourage robust cybersecurity practices among organizations operating in the securities market. 

Under the new regulations, public companies will now be obligated to disclose any significant cybersecurity incidents on Item 1.05 of Form 8-K. They must provide a detailed account of the incident's nature, scope, timing, and the impact it has or is likely to have on the company.

Generally, companies will have four business days to submit an Item 1.05 Form 8-K once they determine that a cybersecurity incident is material. However, if there is a substantial risk to national security or public safety, immediate disclosure may be delayed upon the United States Attorney General's written determination. These rules also extend to foreign private issuers, requiring them to make similar disclosures, ensuring transparency and accountability in the cybersecurity industry.

The full text of the final rule can be accessed through the SEC's website at https://www.sec.gov/rules/final/2023/33-11216.pdf.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Mixed Reaction and Specifics

When reviewing commentary from investors, cyber security professionals and executives, the reactions have been across the spectrum. Below are some of the notable specifics and how they differ from the orginal proposal: 

• Incident Disclosure Focus: The final rule maintains the requirement for organizations to disclose cybersecurity incidents within a 4-day timeline. However, the four days is specific to determination of material impact rather than incident discovery.
• No Mandated Cyber Risk Quantification: The SEC rejected the calls for mandated cyber risk quantification, recognizing the complexity and challenges involved in quantifying cyber risks accurately.
• CISO Disclosure Requirement: Not Included. Contrary to expectations, the final rule does not mandate the disclosure of whether a firm has a Chief Information Security Officer (CISO). Instead, it requires disclosure of positions or committees responsible for managing cyber risk, acknowledging that effective cyber risk management can be achieved through cross-functional non-CISO management if properly informed and empowered.
• Cybersecurity Expertise of Board Members: No Formal Requirement. The SEC has rejected the proposal to mandate disclosure of "cybersecurity expertise, if any, of a registrant's board members." Instead, it promotes a broader principle-based disclosure of cyber risk management processes, allowing organizations to feature cyber expertise on their boards when appropriate for their risk profile.
  
  

What Needs to Change within Organizations as a Result of the Final Rule?

The finalization of the SEC rule is expected to have a significant impact on the cybersecurity practices of organizations operating in the cybersecurity industry. With the adoption of a principle-based approach and a focus on material impact, organizations will need to review and strengthen their cybersecurity risk management strategies and incident response protocols to meet the new requirements. 

The rule's implementation signals a strong commitment from the SEC to bolster cybersecurity resilience across the financial sector, safeguarding both investors and companies from the ever-evolving cyber threats in today's digital landscape.