Addressing the new SEC cyber incident disclosure rules

· 2 MIN READ · GREG NOTCH · JUL 28, 2023 · TAGS: MDR

New SEC requirements that publicly traded companies disclose breaches within four days, as well as details about board-level cyber risk management are going to bring new visibility and challenges to security leaders.

The Securities and Exchange Commission (SEC) recently announced new requirements for publicly traded companies to disclose information about their cybersecurity programs to investors. Perhaps the most controversial of these is a requirement to disclose cyberattacks within four days of determining they’re “material incidents.” In this context, “material incidents” are defined as “those that a public company’s shareholders would consider important in making investment decisions.”

You can read the full text of the SEC guidelines, which take effect December 30, 2023, at sec.gov. [fact sheet]

More about the new regulations

The new regulations center on three major requirements:

  • Incident disclosures: The disclosure should detail the “nature, scope, timing, and…material impact of the incident.”
  • Risk management: Companies must explain their processes for “assessing, identifying, and managing material risks” so a reasonable investor could clearly understand them.
  • Governance: Companies must annually “disclose the board’s oversight and management’s role in assessing and managing material risks from cybersecurity threats,” as well as outlining how the board is kept informed.

Incident disclosures require:

  • The date of discovery and status of the incident (ongoing or resolved)
  • A concise description of the incident’s nature and extent
  • Any data that may have been compromised, altered, accessed, or used without authorization
  • The impact of the incident on the company’s operations
  • Information about ongoing or completed remediation efforts by the company.

The SEC’s intent is to safeguard investor interests. Delayed or incomplete incident reporting “can result in mispricing of securities, which in turn can be exploited by threat actors, employees, related third parties, and others through trades made before an incident becomes public.”

Expel’s analysis

We expect the SEC rules to increase the burden on security leaders at publicly traded companies.

  • Keeping the board informed has always been important, but the tight four-day window is going to force a leveling up of rapid incident response and internal communications around security incidents.
  • Investor relations teams will need to quickly get up to speed on the nuances of cybersecurity incidents and legal teams will need to be able to promptly turn around communications to both regulatory bodies and shareholders.
  • There are open questions around the definition of materiality. Companies may not be certain what they should report. Given potential risks to brand and reputation, there may be an inherent temptation to err on the side of non-disclosure, but regulatory consequences of under-reporting could include lawsuits and consent decrees. Reliable, informed counsel will be essential.
  • The security team will need to understand the complete scope of any incident to fully and accurately report it to the board and assist in crafting the disclosure. However, at the same time they’ll be working to remediate the incident, which could have the effect of splitting focus and exacerbating resource issues on security operations teams).

How Expel can help

Generally, Expel can help provide timely and specific technical details when an incident occurs. This information is critical to security and company leadership in quickly determining materiality and drafting a disclosure.

  • Expel incident severities assessment capabilities can assist in determining materiality.
  • Findings reports are built to be easily comprehensible, even to non-security professionals. Our remediation and root cause analyses (included in the basic findings report) are tailor-made for this type of exercise: a PDF of the incident findings page already addresses four of the five requirements for SEC disclosure.

In short, the new rules may add some new requirements and time constraints to security operations teams, but Expel is here to help. Our in-depth investigative and response capabilities position us to help organizations meet these requirements. If you’d like to discuss your process for addressing the SEC’s latest regulations, drop us a line.