In a matter of months, public companies will have several new rules to follow with respect to cybersecurity incident reporting. Broadly speaking, the SEC’s proposed rules changes focus on ensuring the availability and comparability of public company disclosures across industries.
Once enacted, these rules will likely provide greater transparency, clarity, and measurability for executives, shareholders, employees, customers, and regulators alike, while also helping ensure that all parties are on the same page when it comes to some of the most important cybersecurity decisions and management strategies an organization can make. While beneficial in the long run, these rules changes will be felt most significantly in the short term at a time when cybersecurity budgets are being cut and resources are being stretched. Perhaps most significantly, public companies will – beginning May 1 – be required to notify the Securities and Exchange Commission (SEC) (via Form 8-K) “within four business days after the registrant determines that it has experienced a material cybersecurity incident.”
The new rules would also affect previously disclosed incidents. In these cases, registrants would be required to amend Forms 10-Q and 10-K with updated disclosure statements. Further, registrants would also be required to amend these forms “to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate.”
At present, the SEC considers information to be “material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”
This rules, which were penned by the SEC last year and have since gone through two public comment periods also requires public companies, among other things, to disclose:
• Its policies and procedures for identifying and managing cybersecurity risks, especially the risks associated with its use of any third-party service providers;
• Management’s role in implementing cybersecurity policies and procedures, including board of directors’ oversight of cybersecurity risks;
• Management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing related policies, procedures, and strategies; and
• Its Board of Directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.
Prior to the issuance of the SEC’s Staff Guidance in 2011 and its 2018 Interpretive Release, there was no existing explicit cybersecurity incident disclosure requirements. Since 2011, the SEC has required public companies to disclose “material information regarding cybersecurity risks and cyber incidents … when necessary, in order to make other required disclosures.” So, while many of these new rules are a necessary, positive, and logical next step toward greater transparency around the cybersecurity practices of the business community, it will likely be a drain on your existing resources, including your personnel. Is your organization currently prepared or equipped to keep up? Now is the time to figure out the answer to this question.
To quickly meet the new strict timeframe, Fortalice first recommends that all effected organizations review all the proposed rules: https://www.sec.gov/rules/proposed/2022/33-11038.pdf. You can also review the SEC’s fact sheet and comments that the commission received regarding the proposed rule.
Additionally, we strongly urge you to take a comprehensive review of your incident response plans (IRPs) to determine your organization’s current cybersecurity event reporting requirements. These requirements include your mandatory reporting timeframe, who you’re reporting to, and what information you must share.
If these new rules and their various requirements have your head spinning and you need more thorough guidance, the Fortalice team is at your service:
• Updating Incident Response Plans: Our Custom Solutions team is highly skilled in weaving policy requirements into our clients’ incident response plans, so you’ll never be concerned that your organization is missing the mark with one of the government’s latest rules or requirements.
• Test Your Incident Readiness: The Fortalice Strategic Communications team is ready to help you test out your updated IRPs through tailored tabletop exercises that fit your organization’s ever-expanding and continuously evolving security needs.
• Provide More Detailed Overview: Working together, our Custom Solutions and Strategic Communications teams can provide a more detailed analysis of the proposed new rules as well as an assessment of how each rule stands to affect your organization and its resources.
For additional information on Fortalice Solutions service offerings, contact the team via email at watchmen@fortalicesolutions.com.