The U.S. Securities and Exchange Commission (SEC) adopted final rules Wednesday that require registrants to disclose material cybersecurity incidents within four business days and be more transparent about their cybersecurity posture.

The requirements are part of the SEC’s Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which was originally proposed in March 2022. It creates new requirements for cybersecurity for registrants with the SEC—organizations that are subject to reporting requirements of the Securities Exchange Act of 1934.

“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” said SEC Chair Gary Gensler in a statement. “Currently, many public companies provide cybersecurity disclosures to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Matthew Modica, CEO at cybersecurity consultancy Sabertooth Cyber, spoke at the RSA Conference in April 2023 about the impending SEC rules, which he did not anticipate would be adopted until later in the year. In a follow-up interview with Security Management, he says he is pleasantly surprised that the SEC adopted the rules this week.

“Many of the rule requirements are reasonable in my view and will help level the playing field and help investors and other company stakeholders understand what cyber risks a company is facing,” Modica adds. “In other words—transparency is good for company stakeholders. There will, however, be additional burden on compliance, legal, and cybersecurity teams to ensure that the rules are followed and that there is a documented rationale as to what has been disclosed and what may not be disclosed.”

What Do the New Rules Require?

First, there are three key definitions for understanding the new SEC rules:

1. Cybersecurity Incident. An unauthorized occurrence—or occurrences—conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or information residing on them.
   
   
2. Cybersecurity Threat. Any potential unauthorized occurrence on or conducted through a registrant’s information systems that could result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or information residing on them.
   
   
3. Information Systems. Electronic information resources, owned or used by the registrant to organize, collect, process, maintain, use, share, disseminate, or dispose of their information to maintain or support operations.

Under the new rules, registrants are required to disclose any cybersecurity incident they determine to be material on a new form (8-K Item 1.05). They must list the material aspects of the nature, scope, and timing of the incident, along with the material impact—or reasonably likely material impact—of the incident on their company, such as financial conditions and operations.

The SEC defines information as material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have ‘significantly altered the total mix of information made available.’” If in doubt about whether information is material, the SEC says the relevant information should be “resolved in favor of those the statute is designed to protect, namely investors.”

The disclosure requirement, however, does not extend to “specific, technical information about the registrant’s planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident,” according to the rule.

Registrants are required to make this disclosure within four business days of determining that the incident is a material one. Disclosure can be delayed if the U.S. attorney general determines that the immediate disclosure of the incident would pose a “substantial risk to national security or public safety and notifies the [SEC] of such determination in writing,” according to an SEC fact sheet. “If the attorney general indicates that further delay is necessary, the commission will consider additional requests for delay and may grant such relief through possible exemptive orders.”

Along with the disclosure requirements, the new SEC rules mandate that registrants share their processes for assessing, identifying, and managing material risks from cybersecurity threats. This will require registrants to disclose whether risks from cybersecurity threats have materially affected or are reasonably likely to affect them.

Additionally, registrants will be required to describe their board of directors’ oversight of risks from cybersecurity threats, along with management’s expertise and role in assessing and managing material risks from cybersecurity threats.

Foreign private issuers will also be required to disclose material cybersecurity incidents, as well as share their cybersecurity risk management, strategy, and governance. These issuers are generally companies headquartered outside the United States but that operate and conduct business within the United States.

Why Now?

The SEC has been evaluating this new rule set for some time. In March 2022, the commission proposed the new rules after observing that cybersecurity incidents and threats pose an ongoing and escalating risk to public companies, investors, and market participants.

The SEC “noted that cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology,” according to the fact sheet. “The commission also observed that the cost to companies and their investors of cybersecurity incidents is rising and doing so at an increasing rate. All of these trends underscored the need for improved disclosure.”

An increasing rate is putting it lightly, since the average cost of a data breach has now reached an all-time high of $4.45 million per incident, according to IBM Security’s annual Cost of a Data Breach Report.

The report assessed 553 organizations impacted by data breaches between March 2022 and March 2023. It found that the average cost of a data breach rose 2.3 percent from 2022 ($4.35 million), and 15.3 percent from 2020 ($3.86 million).

Costs have been especially high for the healthcare industry—increasing 53 percent since 2020 to reach an average of $10.93 million per incident. Part of the reason for the rising cost is that healthcare companies have been in the crosshairs of threat actors since the COVID-19 pandemic, says Jennifer Kady, vice president, IBM Security.

“Threat actors take the path of least resistance. Across industry today, healthcare has been one of the slowest to harden defenses,” Kady adds. “Cybercriminals are exploiting the sensitivity of healthcare records by making stolen data more accessible to downstream victims. With medical records as leverage, threat actors amplify pressure on breached organizations. Customer PII was the most commonly breached record type—52 percent of breaches across all industries had customer PII data. It was also the costliest.”

What Are the Next Steps?

The final rules become effective 25 August 2023, with various roll-out dates for when registrants need to begin filing disclosures with the SEC. The rules for disclosing cybersecurity threat processes for annual reports for fiscal years ending on or after 15 December 2023. Cybersecurity incident disclosures for all registrants other than smaller reporting companies must begin 90 days after the final rules are published in the Federal Register or 18 December 2023.

To prepare for compliance, companies that do not have a formal process to evaluate and monitor cybersecurity should establish one now, Modica says.

“This could simply be an extension or modification of their existing risk management processes, or a new process focused on cybersecurity risk,” he adds. “If an organization has a formal cybersecurity program, this assessment process likely already exists but may not be visible or reported to the right management team members. Organizations should evaluate existing processes and ensure the right management team members are made aware of high risks and have structured process around how and when they treat those risks.”

Modica also advises getting to know board members and understand their backgrounds and challenges to improve their cybersecurity literacy as the new rules go into effect.

“I would also recommend having a consistent board level update that provides the quantitative and qualitative metrics desired by the board, the key material cybersecurity risks, and what you’re doing about them,” he explains. “Many executives struggle to develop the right message that will resonate with the board and sometimes with the management team. This is where a cybersecurity experienced board member or board advisor comes into play to accelerate a company’s capability in this area.”

While it remains to be seen what the effect of the new rules will be on registrant’s cybersecurity posture, they could potentially increase the costs of remediating a data breach.

Analysis from the annual IBM report shows that data regulation has lead to longer-tail breach costs, with organizations in lower-regulation environments taking on nearly two-thirds of their data breach costs in the first year—compared to high-regulation environments were organizations took on less than half of their data breach costs in the first year, Kady explains.

“The report found that noncompliance with regulations was also a top three cost amplifier,” Kady says. “Organizations with a high level of noncompliance with regulations showed an average cost of $5 million—exceeding the average cost of a data breach by $560,000.”

Another stark finding from the 2023 report is that just 51 percent of organizations who experience a data breach increased their security investments after the breach; 57 percent of others passed the costs of the breach off to consumers.

This dynamic could shift in the future as consumers become unwilling to accept higher prices.

“Many organizations don’t reduce prices after the breach bill is paid,” Kody explains. “We’re seeing some businesses reinvest those profits into better security measures. And longer term we may see more businesses start to factor the cost of security into the price of goods and services proactively—not just after a breach.

“Just think about the airline industry’s response to soaring gas prices,” she continues. “Passengers were charged for luggage to cover the higher costs, and they’re still paying extra for luggage today. It’s about finding the right balance. There’s a limit to how much consumers are willing to pay.”

MOST POPULAR ARTICLES

1. Alarming Trends in Cannabis Crime—There’s a Standard for That

2. Mastering Access Control Fundamentals for Cannabis Facility Security

3. A Force Multiplier: Why Physical Security Teams Should Leverage AI