Senior Manager Holding a Financial Results Meeting with a Group of Fintech Investors and Partners. Diverse Team Celebrating Successful Year Over Year Profits, Cheering and Clapping Hands

Why new SEC cybersecurity rules require an integrated approach

New SEC cybersecurity rules require considerations related to risk management and strategy, governance and incident disclosure.


Executive summary

  • Compliance with the SEC’s new cyber disclosure rules requires an integrated approach between stakeholders to enhance policies, procedures and controls.
  • Establishing a materiality framework for cyber incidents will be a determining factor in a company’s ability to assess and disclose material incidents timely.
  • Internal audit can play a key role to drive compliance by performing an advisory-focused SEC disclosure readiness assessment.

The rules adopted by the U.S. Securities and Exchange Commission (the SEC or Commission) are intended to enhance and standardize disclosures by requiring registrants to timely report on cybersecurity incidents on Forms 8-K and 6-K and make disclosures about their cybersecurity risk management, strategy and governance in annual reports on Forms 10-K and 20-F.

 

What’s changed?

 

In 2011, the Division of Corporation Finance (the Division) issued interpretive guidance providing the Division’s views concerning operating companies’ disclosure obligations relating to cybersecurity (the 2011 Staff Guidance). In that guidance, the staff observed that “[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents,” and further that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”

 

In 2018, “[i]n light of the increasing significance of cybersecurity incidents,” the Commission issued interpretive guidance to reinforce and expand upon the 2011 Staff Guidance and to address the importance of cybersecurity policies and procedures, as well as the application of insider trading prohibitions in the context of cybersecurity (the 2018 Interpretive Release). The 2018 Interpretive Release noted that companies can provide current reports on Form 8-K and Form 6-K to maintain the accuracy and completeness of effective shelf registration statements, and it also advised companies to consider whether it may be appropriate to implement restrictions on insider trading during the period following an incident and prior to disclosure.

Why did the SEC issue more cyber guidance?

In considering the new rules, the SEC determined that current disclosure practices are varied and often mixed with other disclosures, making cyber disclosures difficult to find. Additionally, several current trends elevate the prevalence and potential severity of cybersecurity threats:

  • An ever-increasing share of economic activity is dependent on electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole. 
  • There has been a substantial rise in the prevalence of cybersecurity incidents, propelled by several factors, including:
    • The increase in remote work spurred by the COVID-19 pandemic
    • The increasing reliance on third-party service providers for information technology services 
    • Rapid monetization of cyber attacks facilitated by ransomware, black markets for stolen data and crypto-asset technology
  • The costs and adverse consequences of cybersecurity incidents to companies are increasing; such costs include business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks and reputational damage.

What’s new in the SEC cybersecurity rules?

All SEC registrants must provide cybersecurity disclosures regarding cybersecurity risk management, strategy and governance beginning with annual reports for fiscal years ending on or after December 15, 2023, and incident reporting after December 18, 2023 (see Appendix A for further summary of the disclosure requirements). Below we discuss the rules and our insights about what is “new” from an SEC perspective. Under the new ruling, disclosures are required in annual reports (e.g., governance, risk and policy disclosures in the Form 10-K or Form 20-F) or current reports (e.g., incident reporting in Form 8-K or 6-K); therefore, policies, processes and controls are required to be defined and documented to support disclosure controls and procedures requirements in accordance with Section 302 of the Sarbanes-Oxley Act (SOX).

Key questions: considerations for board and executive management

Diverse group of smiling businesspeople working together over a laptop during a meeting in the boardroom of a modern office
1

Chapter 1

Governance

Review what the rules say and key insights and observations with respect to governance.

What the rules say regarding governance

With respect to governance, registrants are required to disclose:

  • The board’s role in overseeing risks from cybersecurity threats
  • The board committee or subcommittee that oversees cybersecurity risks, if applicable, and the processes by which the committee is informed about such risks
  • Management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for assessing and managing cybersecurity risk and their relevant expertise 
  • The processes by which management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, including whether management reports information about such risks to the board

Insights and observations regarding governance 

We have observed that many companies have expanded their cyber governance disclosures over the last several years. Accordingly, some companies may have well-established governance practices and policies with respect to cybersecurity and require only incremental changes to meet the explicit disclosure requirements under the new SEC rules. However, the preparation and reporting of additional disclosure is subject to a company’s disclosure controls and procedures. As a result, we believe companies may reconsider their existing governance policies and procedures to determine potential gaps against governance leading practices and opportunities to enhance their written controls and policies. These considerations may entail the following:

  • Depending on who is responsible for board oversight, board charters may require updating to specify the committee’s responsibilities and role in providing oversight to the organization.
  • Companies may reconsider the frequency with which management reports to the board and related committees. For example, reporting quarterly to the audit and risk committee and annually to the board is common in practice. 
  • Management may consider including the following in its board materials to help the board provide effective oversight:
    • Overview of the cybersecurity organization 
    • Annual risk assessment process and outcomes, including the risk mitigation strategies for material risks
    • Security trends
    • Cybersecurity control effectiveness
    • Major security initiatives
    • Material incidents, impact and related remediation plans
    • Security awareness training program 
    • Results of phishing tests
    • Cybersecurity metrics dashboard
    • Results of external assessments and benchmarking
  • Because companies are required to disclose “management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for assessing and managing cybersecurity risk and their relevant expertise,” companies may consider the organizational structure and operating model for those involved in cybersecurity broadly (e.g., beyond the IT organization, finance and legal).
  • Because companies are required to disclose the “process for informing management about prevention, detection, mitigation and remediation of cybersecurity incidents,” written policies and procedures in these areas are recommended.

Policies, procedures and controls

  • Companies need to consider the policies they have in place to support the disclosures, such as those included in NIST 800-53 or ISO 27001. 
  • As it relates to employees, companies may consider updating their codes of conduct and whistle-blower/speak up policies to make sure they specify requirements for employees to report incidents, including a definition of what reporting is required under certain scenarios. 
  • To support completeness of incidents, companies may consider updating their disclosure committee charters to incorporate cyber incident reporting into the responsibilities of executive management and through the representation letter process that supports current SOX Section 302 controls. As companies review the defensibility of their cybersecurity programs and management’s responsibilities for controls and procedures under Section 302, considerations around documenting execution protocols, including roles and responsibilities, for all relevant policies are critical for compliance. 
  • Companies may consider enhancing entity-level controls by incorporating specific cybersecurity language into each entity-level control that aligns to each COSO principle. Some common examples may include:
    • Enhancing the disclosure committee entity-level control to incorporate cybersecurity considerations
    • Enhancing the code of conduct and whistle-blower/speak up program to incorporate cybersecurity considerations
    • Formalizing a control around the annual tabletop incident response exercise
    • Enhancing the control over policy governance to include cybersecurity policies
    • Including the cybersecurity risk assessment into the overall risk management framework and related controls
Focused skilled african ethnicity female business trainer educating interested diverse managers at meeting in office. Smiling multiracial employees listening to mixed race leader or coach indoors.
2

Chapter 2

Risk management

Review what the rules say and key insights and observations with respect to risk assessment.

What the rules say regarding risk management

With respect to risk management and strategy, registrants are required to disclose:

  • The processes, if any, to assess, identify and manage risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including: 
    • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes
    • Whether the registrant uses assessors, consultants, auditors or other third parties in connection with such processes 
    • The processes in place, if any, to oversee and identify risks related to the use of third-party service providers
  • Whether risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition

Insights and observations regarding risk management

Many organizations have robust risk assessment programs to identify, assess, mitigate and monitor cybersecurity threats. We have compiled a few observations and related insights as registrants consider how to prepare for compliance and beyond:

  • Even though the rules say registrants must disclose “the processes, if any,” when referring to the registrant’s risk assessment process for cybersecurity threats, we believe that performing a risk assessment creates a more defensible mechanism to determine how resources are allocated to preventive, detective and mitigating activities by both management and the board. Without narrowing down the potential population of cybersecurity threats to those that are the most critical, there may be an inappropriate and unreasonable expectation from stakeholders about the breadth and depth of preventive, detective and mitigating activities and the allocation of resources to these activities. This is consistent with the SEC’s views in several areas, including the application of internal controls over financial reporting where the level of evidence required for these controls is based on risk.
  • Organizations may want to reconsider their risk management methodology and choose a standard framework for identifying, assessing, mitigating and monitoring risks, aligned with COSO or another acceptable framework. 
  • Because the rules require companies to disclose risks from cybersecurity threats that are “reasonably likely to materially affect their business strategy, results of operations or financial condition,” companies may need to validate that the framework they use to define the potential severity of risks aligns with the SEC’s definition of materiality (e.g., vulnerability management assessment).
  • From an external audit perspective, the auditor has a responsibility to read the disclosures and understand them. External auditors also need to make sure there is nothing in the disclosures that contradicts their understanding and what is documented in audit workpapers. However, the audit opinion does not directly cover the disclosure.
Young professionals having a discussion at a meeting in a modern office building
3

Chapter 3

Incident disclosure

Review what the rules say and key insights and observations with respect to incident disclosure.

What the rules say regarding incident disclosure

The rules state that what constitutes materiality for purposes of determining whether an incident must be reported in a Form 8-K is consistent with the Supreme Court’s definition of materiality,¹ and registrants need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances of the cybersecurity incident, including quantitative and qualitative factors.

The rules expand the definition of “cybersecurity incident” to include “a series of related unauthorized occurrences,” which reflects the fact that cyber attacks sometimes occur over time (see Appendix B for SEC cybersecurity definitions). The rules say that the Form 8-K requirement could be triggered even if the material impact to the registrant is caused by a series of individually immaterial related cyber attacks.

Insights and observations regarding incident disclosure

Many organizations have cyber incident reporting programs to identify, assess, mitigate and monitor cybersecurity threats. However, in 2020, of the 74,098 Form 8-K filings involving 7,021 filers, only 40 filings reported material cybersecurity incidents. Below we have compiled observations and related insights as registrants consider how to prepare for compliance and beyond:

As companies consider developing or refining their materiality assessment and reporting processes, they may consider the following:

  • Assembling the right cross-functional team (IT, finance, legal, etc.) and defining key roles and responsibilities
  • Leveraging existing materiality policies or practices, if any, and/or other materiality framework tools
  • Documenting policies and process flows as part of the organization’s disclosure controls and procedures — having a well-established understanding of how materiality assessments will be conducted will be critical for companies to comply with the new rules
  • Designing a process to identify incidents, including defining “related” unauthorized occurrences to track and monitor for materiality
  • Updating or establishing incident reporting policies and procedures with established criteria, including defining the severity of incidents and implementing processes for escalating to management to make timely materiality decisions
  • Establishing quantitative and qualitative factors (e.g., cost categories) necessary to make materiality assessments, including necessary data inputs and assumptions to make estimates
  • Implementing processes to accumulate the necessary information to timely report incidents within four business days

Materiality assessments may be challenging for companies, and frameworks may need to be developed to consider:

  • The total mix of information, perhaps including qualitative and quantitative factors, such as those included in Staff Accounting Bulletin No. 99 
  • Direct and indirect costs of the incident, including remediation, downtime, insurance, brand, reputational impact, intellectual property loss, and the internal and external costs associated with the investigation itself

What constitutes materiality for purposes of determining whether an incident must be reported in the Form 8-K would be consistent with the Supreme Court’s definition of materiality. This would include considering whether an incident is material because “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, and/or if it would have “significantly altered the ‘total mix’ of information available.”

The SEC noted that Form 8-K Item 1.05 does not specify whether the materiality determination should be performed by the board, a board committee, or one or more officers. The company may establish a policy tasking one or more persons to make the materiality determination. Companies should seek to provide those tasked with the materiality determination information sufficient to make disclosure decisions. Many organizations are considering establishing cross-disciplinary evaluation or other committees that consider the materiality of information, and these committees would participate in these assessments, along with cybersecurity specialists and external securities counsel.

As companies think about qualitative considerations for materiality, one or more of the following qualitative examples may trigger filing a material cybersecurity incident Form 8-K with the SEC: 

  • Press release(s) describing the incident and/or impacts
  • Ransom payment
  • Notified by law enforcement or a third party of loss of information or control (e.g., FBI)
  • Notification of board by management 
  • Notification to regulatory authorities 
  • Customer notification(s)
  • Supplier notification(s) (e.g., a key supplier discloses a material event and the company’s investors know the company is highly reliant on the supplier) 
  • Impaired ability to produce a product or deliver a service over a period of time due to the breach
  • Competitive advantage lost or damaged, even if only temporarily
  • Reputational or brand risk

Companies may find the requirement to report “a series of related unauthorized occurrences” challenging because the rule does not define “related.” Companies may need to develop a process to track individually immaterial related incidents over an undefined period and identify controls over that process to make sure they are reporting all cybersecurity incidents subject to the rule. If a registrant concludes that an incident is immaterial, it should have processes and controls in place to confirm that the immaterial incident is not related to prior incidents.

 

The SEC stated in the adopting release that adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance with the “without unreasonable delay” provision. However, if a registrant revised its existing incident response policies and procedures, changed the criteria required to report an incident to management or committees, or introduced other steps to delay the materiality determination or disclosure, that would constitute an unreasonable delay.

 

Registrants are not exempt from providing disclosures regarding cybersecurity incidents on third-party systems they use. Depending on the circumstances of an incident that occurs on a third-party system, disclosure may be required by both the service provider and the customer, or by one but not the other, or by neither. 

 

The SEC recognizes that companies may have reduced visibility into third-party systems, and thus, registrants should make their disclosures based on the information available to them.

The final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants’ disclosure controls and procedures. However, companies may want to consider performing scans of contractual terms around cyber incident reporting to inform future contractual requirements. Additionally, they may want to consider how they communicate with third-party service providers (i.e., what information about incidents they receive and when).

 

Registrants should also consider whether their third-party providers are nonpublic entities and how they may be gathering data for incident reporting since they aren’t subject to reporting under the final rules. 

Many companies currently only track cyber incidents related to their IT vendors and will want to consider a more holistic evaluation of cyber risks for all vendors.

Companies may consider performing a “tabletop” exercise to validate their incident response across several scenarios. Such exercises should incorporate a cross-functional team, including legal, finance and IT, to help stakeholders understand their roles and responsibilities in the event of an incident. Formalizing this exercise into an annual control that can be evaluated and tested by internal audit is a leading practice.

Diverse Modern Office: Successful Black Female Digital Entrepreneur Uses TV Screen with Big Data, Statistics, Talks about Company Growth, Discusses Strategy with Investors, Top Managers, Executives
4

Chapter 4

Internal audit’s role

Due to the short time frame to comply, the nature of internal audit’s involvement for 2023 will likely be advisory in nature.

We are seeing internal audit (IA) departments developing advisory programs to assess the readiness of management’s program for all required areas to assess the design of the program and provide findings related to compliance this year and recommendations for future periods. The output may include an assessment of the current state design, a prioritized list of recommendations, a risk control matrix to document current and future state operational and reporting controls, and an RACI (responsible, accountable, consulted and informed) matrix to help management better define roles and responsibilities across functions and within the consolidated group. As all SEC registrants must provide cybersecurity disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, IA departments performing a readiness assessment should begin procedures as quickly as possible. IA departments should make sure assessments are completed timely enough to allow management to implement recommendations before the ruling takes effect.

We believe this is a leading practice to support management as they work through the requirements. Additionally, it provides the opportunity for the IA department to suggest better practices to implement over time to enhance the program’s defensibility.

Appendix A – Summary description of the disclosure requirements

Item

Summary description of the disclosure requirements

Regulation S-K Item 106(b) — Risk management and strategy

Registrants must describe their processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition.

Regulation S-K Item 106(c) — Governance

Registrants must:

  • Describe the board’s oversight of risks from cybersecurity threats.
  • Describe management’s role in assessing and managing material risks from cybersecurity threats. 

Form 8-K Item 1.05 —Material Cybersecurity Incidents

Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

  • Nature, scope and timing
  • Impact or reasonably likely impact on the registrant, including its financial condition and results of operations

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the US Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. 

Form 20-F

Foreign private issuers (FPIs) must:

  • Describe the board’s oversight of risks from cybersecurity threats.
  • Describe management’s role in assessing and managing material risks from cybersecurity threats.

Form 6-K

FPIs must furnish information on material cybersecurity incidents promptly on the Form 6-K if the information is (1) distributed to stockholders or to a national exchange (if the information is made public by that exchange) or (2) required to be made public under the registrant’s domestic laws.

Appendix B – SEC cybersecurity definitions

Cybersecurity incident

Cybersecurity threat

Information systems

A cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.

A cybersecurity threat means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.

Information systems mean electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the registrant’s information to maintain or support the registrant’s operations.

Special thanks to Andrea Craig, Dan S. Helwing , Kyle D. Brunell and Jason Jacko for contributions to this article.


Summary 

Even companies with highly mature cybersecurity and disclosure processes likely have some work to do to fully comply with the new rules. SEC registrants should start their readiness journey by conducting a cross-functional readiness session with their executive management team to inform on the rules, validate the current state and align on next steps. Then, companies must move quickly to enhance policies, processes and controls in order to disclose on cyber beginning with annual reports for fiscal years ending on or after December 15, 2023.

About this article

Related articles

Cybersecurity oversight disclosures: what companies shared in 2024

See how cybersecurity-related disclosures have changed since 2018 and what boards are doing to enhance cybersecurity risk oversight.

Reflecting on RSA: how cyber leaders are responding to hot topics

Listen to EY leaders respond to concerns about increasing cyber threats.

Why cybersecurity should be required reading for higher education

Following a full cybersecurity assessment, a university lands on a solution that can identify, triage and manage data risks.

    Contact us
    Like what you’ve seen? Get in touch to learn more.