The New Final Rule
Four-Day Disclosure Requirement: The new requirement emphasizes the importance of prompt and comprehensive disclosure of material cybersecurity incidents. Under the new rule, companies must report certain details of the incident within four days of determining such an incident is material. The new SEC cybersecurity rule also highlights the need for companies to assess the impact of such incidents on their operations, financial conditions, and reputation. This emphasizes the materiality aspect of cybersecurity risk reporting.
Defining Materiality: Assessing the significance of a cybersecurity incident is critical to the process of incident response. Significance must be characterized by assessing the potential influence of the incident on the operational aspects, financial vitality, and overall reputation of the organization. This assessment encompasses both direct ramifications, such as the expenses associated with incident mitigation and recovery, as well as indirect consequences, such as damage to the company’s reputation and the conceivable legal and regulatory consequences.
Internal Investigation and Assessment: Companies are expected to conduct a thorough internal investigation and assessment of the nature and scope of cybersecurity incidents. This involves evaluating the extent of data compromise, potential legal and regulatory implications, and the overall impact on the organization.
Board and Executive Involvement: The new SEC requirement underlines the critical role of the board of directors and executive officers in overseeing and managing cybersecurity risks. It emphasizes the need for board involvement in the organization’s response to significant cybersecurity incidents and encourages open communication between management and the board.
Forward-Looking Disclosure: In addition to retrospective reporting, the new rule encourages forward-looking disclosures. Companies are required to provide periodic insights into potential future risks and their potential impact, enabling investors to make informed decisions.
Insider Trading and Selective Disclosure: The new SEC rule also addresses concerns related to insider trading and selective disclosure of cybersecurity incidents. It emphasizes the importance of maintaining clear protocols to prevent misuse of nonpublic information.
Aligning Your Cybersecurity Risk Reporting with the New Requirements
Comprehensive Incident Response Plan: Develop a robust incident response plan that outlines procedures for assessing, reporting, and mitigating cybersecurity incidents. Ensure that the plan addresses both immediate response and long-term recovery efforts.
Impact Assessment Framework: Establish a framework for assessing the impact of cybersecurity incidents on various aspects of the business, including operations, finances, and reputation. This will facilitate the materiality assessment required for disclosure.
Board Engagement and Oversight: The SEC highlights the role of the board of directors in overseeing cybersecurity risk management. Boards are expected to be actively engaged in understanding and addressing cybersecurity risks, ensuring that appropriate measures are implemented and reported. This places cybersecurity squarely within the realm of corporate governance and strategic decision-making.
Forward-Looking Disclosures: Incorporate forward-looking disclosures in cybersecurity risk reporting. Share insights into potential future risks, the organization’s preparedness to address them, and the anticipated impact on operations.
Training and Awareness: Conduct training programs to educate employees, especially executives, about the importance of cybersecurity risk reporting, insider trading prevention, and compliance with disclosure requirements.
The new Final Rule represents a significant evolution in the SEC’s approach to cybersecurity disclosure. While the Final Rule is not effective immediately, companies should ensure that they have robust disclosure controls and processes in place now to withstand any scrutiny should a breach occur.