It feels like businesses today are constantly bombarded with digital threats, and with these threats come inherent risks to your company and stakeholders. Understanding and adhering to cybersecurity regulations in this environment is increasingly crucial for businesses, especially publicly traded companies. Recently, the U.S. Securities and Exchange Commission (SEC) made significant changes to its rules, requiring public companies to be more transparent about their cybersecurity incidents and management strategies. In this article, we break down these changes and offer guidance on how you can protect your organization in this new regulatory environment.*
A Brief Overview of the New SEC Rules
The SEC adopted rules enhancing disclosure requirements for public companies regarding cybersecurity on July 26, 2023. This move follows a period of public comment and review that began in March 2022. Key aspects of these new rules include:
- Form 8-K Amendments – Publicly traded companies must now disclose significant cybersecurity incidents within four business days of recognizing their materiality. This includes outlining the nature, scope, timing, and potential impact of the incident on the company’s financial health and operations.
- Form 10-K and Regulation S-K Amendments – These amendments require public companies to disclose their processes for identifying, assessing, and managing cybersecurity risks. The focus here is on the involvement of management and the board of directors in overseeing these risks.
- XBRL Tagging – After a certain implementation period, these disclosures must be presented in Inline XBRL format, enhancing data accessibility and analysis.
Materiality of Cybersecurity Incidents
“Materiality” is a pivotal concept in these new SEC cybersecurity disclosure rules. It refers to the significance of an incident in the eyes of a reasonable shareholder. This is a measure that should take into account both immediate and long-term effects on operations, finances, brand perception, customer relationships, and other factors. The SEC emphasizes that this evaluation should encompass both quantitative and qualitative factors.
Reporting Obligations and Exceptions
The obligation to report a cybersecurity incident is triggered not by the incident itself but by the company’s determination of its materiality. Companies subject to these rules are expected to make this determination promptly, without unreasonable delay. There are limited exceptions to this rule, like when disclosure poses a substantial risk to national security.
Protecting Your Business in Light of These Changes
Given these new SEC cybersecurity disclosure rules, it’s important to take the following steps to secure your businesses interests:
- Review Cybersecurity Processes – Evaluate and potentially update your cybersecurity risk management processes. This includes assessing how incidents are reported within the company and ensuring swift decision-making regarding materiality.
- Enhance Board and Management Involvement – Ensure your board of directors and management are actively involved in overseeing cybersecurity risks. This might involve assigning specific responsibilities to board committees like the audit committee.
- Understand Legal and Regulatory Interplays – Be aware of how these SEC requirements interact with other legal and regulatory standards related to cybersecurity and data privacy.
- Vet Third-Party Providers – Since the rules extend to incidents involving third-party systems, it’s crucial to evaluate and monitor the cybersecurity capabilities of your partners and vendors. This applies to all of your software vendors and should involve a careful evaluation of their data privacy practices.
Implementation Timeline for the New SEC Cybersecurity Disclosure Rules & Effective Date
Understanding the timeline for implementing these new rules is crucial for businesses to ensure compliance. Here’s a breakdown of the key dates and phases:
Compliance Deadlines for Form 8-K Reporting
- For public companies (excluding smaller reporting companies), the requirement to report cybersecurity incidents via Form 8-K will be mandatory by whichever comes later: 90 days after publication in the Federal Register or December 18, 2023.
- Smaller reporting companies will have an extended timeline and will need to comply with this requirement by whichever comes later: 270 days post-publication or June 15, 2024.
Form 10-K Disclosure Requirements
All public companies must include the new Item 106 disclosures in their first annual reports (Form 10-K) for fiscal years ending on or after December 15, 2023. This includes detailed information about the company’s cybersecurity risk management processes and strategies.
Inline XBRL Tagging
- The requirement for disclosures to be tagged in Inline XBRL will be phased in approximately one year after the effectiveness of the above disclosure requirements.
- For Form 8-K reports, this tagging requirement will apply to reports filed by whichever comes later: 465 days after the final rules are published in the Federal Register or December 18, 2024.
- For annual reports (Form 10-K), XBRL tagging will be necessary for any fiscal years ending on or after December 15, 2024.
Preparing for Compliance
To ensure readiness for these deadlines, it’s important to start preparing now. This preparation involves evaluating current cybersecurity processes, board and management roles, disclosure controls, and the impact of third-party providers like business analytics platforms and other software. Any software vendor is obligated to disclose how they use your data. For example, at LeadLander, we can proudly state that we don’t share your data with anyone. Many other business intelligence and website tracking tools cannot claim the same.
Given the detailed nature of these requirements and the importance of accurate reporting, businesses may also consider consulting with legal and cybersecurity experts to navigate this new regulatory landscape effectively.
Take This Opportunity to Improve Your Data Privacy Practices
The new SEC rules underscore the importance of transparency and proactive management in cybersecurity. For publicly traded companies, this means not only ensuring robust cyber defenses but also being prepared to promptly and effectively disclose incidents. By understanding and adhering to these new rules, you can better protect your business and maintain the trust of your shareholders and the larger public.
*Please note that this information is provided for informative and educational purposes only. This article should not be taken as legal advice or used as a substitute for such. Always consult a lawyer for professional legal guidance.