Webcheck Security is often called upon by organizations that need to comply with SEC cyber regulations, New York State Financial Cyber Regs, and many more. This article presents important new SEC financial cyber rules which may be applicable to your organization.

New rules have been proposed by the Securities Exchange Commission (SEC) whereby companies would be required to disclose significant information regarding cybersecurity incidents as well as security preparedness. Under the proposed rules, companies would specifically have to disclose: (i) material instances of cybersecurity incidents; (ii) information about the organization's security strategy, risk management, and governance; and (iii) whether any member of the board of directors possesses cybersecurity expertise.

In line with guidance published by the SEC in 2011 and 2018, many companies are currently disclosing a portion of the required information; however, the motivation behind issuance of new rules is that the SEC analysis indicates underreporting, inconsistent information in reports, and late reporting continue to be widespread issues. The SEC aims to reduce such issues. The new rules would address the needs of investors and other market participants related to timeliness, consistency, and standardization of content in reporting around cybersecurity incident response, governance, risk management, and leadership teams' cybersecurity knowledge. [1]

Regarding the mandatory disclosure of material cyber security incidents and ongoing disclosure of historical incidents, the SEC has proposed the addition of Item 1.05 to Form 8-K (current reports). This item will require public companies to disclose critical information elements within four business days after confirmation of material cyber security events. The SEC has expressed the desire for the rule to be "construed broadly" and that any unintentional data leakage or exposure would be included. Additionally, the SEC proposed an amendment to Forms 10-Q (quarterly reports) and 10-K (annual reports), by which public companies would be required to provide updated disclosures relating to historical material cybersecurity incidents; they would also require public companies to disclose instances in which a sequence of separate, immaterial incidents have become material as they have been aggregated.

Companies will be required to confirm materiality "as soon as reasonably practicable after discovery of the incident"; however, no penalties are specified for lack of compliance, and no language about set metrics is included, either. Safe Harbor provisions would cover the untimely filing of incidents on Form 8-K and companies would not see a loss of Form S-3 or Form F-3 eligibility for failure to comply.

The SEC stated that "materiality" is to be determined according to current SEC principles, whereby information is material if "there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered." A "cybersecurity incident" would be defined as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The existing SEC definition of "material" in 17 C.F.R. § 230.405 will not change.

Regarding the disclosure of governance, strategy, and risk management information, the proposed additions include new Item 106 on Form 10-K (annual reports). These require disclosures regarding policies and procedures for cybersecurity risk management; governance, including board of directors' oversight role; and leadership involvement and expertise in managing cybersecurity-related risks, as well as forming appropriate strategies and implementing policies and procedures. Other additions proposed are new Item 106(b) of Regulation S-K, requiring disclosure of policies and procedures to identify and manage cybersecurity risks, and new Item 106(c) of Regulation S-K, regarding board oversight of security risk and leadership involvement in security program management.

Regarding the mandatory disclosure of experience among members of the board of directors, the SEC proposed adding a new Item 407(j) of Regulation S-K, whereby companies would be required to identify members of the board having cybersecurity expertise, as well as the nature of that expertise. The final rules may well differ from those proposed, as the organization requested and is expected to have received a fair number of comments from the industry. The SEC stated that with the average time between proposed rule publication and finalization is around 450 days, meaning the SEC is unlikely to issue final regulations this year.

If your organization requires assistance complying with cyber regulations contact Webcheck Security.

Sources:

1] https://www.sec.gov/rules/proposed/2022/33-11038.pdf