The SEC’s 2023 final rules on cybersecurity disclosures
Credit to Author: Doug Aamoth| Date: Thu, 05 Sep 2024 09:00:24 +0000
As part of its mission to protect investors and maintain efficient markets, the US Securities and Exchange Commission (SEC) released a new set of final rules[1] on July 26, 2023, which changed how publicly traded companies in the U.S. must disclose information about cybersecurity risks, governance, and incidents.
Specifically, the new rules require “disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports.”[2] The final rules are intended to provide investors with the timely, consistent, comparable, and decision-useful information that they need to make informed investment and voting decisions.[3]
These new rules became effective on September 5, 2023. Reporting requirements began on December 18, 2023. Smaller reporting companies had an extra 180 days to comply.
Need for the new cybersecurity disclosure rules
On December 14, 2023, Erik Gerding, Director, Division of Corporation Finance at the Securities and Exchange Commission gave a speech on the SEC’s final rules, where he noted that “threat actors repeatedly and successfully executed attacks on high-profile companies across multiple critical industries over the course of 2022 and the first quarter of 2023, causing the Department of Homeland Security’s Cyber Safety Review Board to initiate multiple reviews.”[4]
The SEC observed that the cost of cybersecurity incidents to companies and their investors has been rising. This was also reflected in Sophos’ fifth annual study of the real-world ransomware experiences of organizations across 15 industry segments around the globe, titled “Sophos 2024 State of Ransomware report[5]”.
According to this report, 59% of organizations were hit by ransomware last year. The unabated incidences of ransomware attacks on organizations of all sizes inflict millions of dollars in costs to recover from and remediate attacks. The mean cost to recover from a ransomware attack in 2024 rose to $2.73M from the $1.82M reported in 2023. This underscores the pressing need for robust cybersecurity measures across all sectors, also highlighting the need for improved disclosure.[6]
For these reasons, the SEC has introduced new rules that will inform investors about cybersecurity attacks on public companies and offer insights about how companies manage cyber risks. This is intended to promote transparency and bolster overall risk management.
The new SEC disclosure requirements
The final rule has two key requirements:
a) Publicly-traded companies must disclose material cybersecurity incidents four (4) business days after it has determined the incident is material[7]
- Requires public companies to disclose the occurrence of a material cybersecurity incident on new Item 1.05 of Form 8-K and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the company, including its financial condition and results of operations.
- Public companies must provide the required cybersecurity incident disclosure within four (4) business days after the company determines the incident to be material. The deadline is not four business days after the incident occurred or is discovered. This timing recognizes that, in many cases, a company will be unable to determine materiality the same day the incident is discovered.
b) Publicly-traded companies must annually disclose information in their Form 10-K about cybersecurity risk management, strategy, and governance[8]
- Requires public companies to make annual disclosures in their Form 10-K on Item 106 about their cybersecurity risk management, strategy, and governance.
- The final rule requires disclosures by publicly-traded companies to describe their management processes to assess and manage material risks from cybersecurity threats, including, as applicable, whether and which management positions or committees are responsible for cybersecurity threats, and their relevant expertise.
The final rule’s disclosure requirement regarding the board is focused on describing the board’s oversight of risks from cybersecurity threats and, if applicable, identifying any relevant board committee or subcommittee and describing how the board or such committee is informed of such risks. The final rule also sets requirements for disclosure by foreign private issuers[9], and tagging new disclosures as inline structured data.[10]
Specific compliance dates
With respect to Item 106 of Regulation S-K and item 16K of Form 20-F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all registrants other than smaller reporting companies must begin complying as of December 18, 2023.[11]
Smaller reporting companies (those with less than US$250 million in stock owned by public investors, or those with less than $100 million annual revenue and less than $700 million in stock owned by public investors) are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8-K, on June 15, 2024.[12]
The cost of non-compliance
Although the SEC hasn’t yet outlined precise penalties for violating the new rules, their enforcement powers are far-reaching. Fines could reach up to $25 million alongside other disruptive actions like cease-and-desist orders or suspension of trading privileges. Even more concerning is the increased likelihood of lawsuits from investors or stakeholders if companies neglect to disclose material cybersecurity events. The SEC’s rules provide a strong basis for activist investors to challenge companies that fail to meet their obligations.[13]
How can Sophos help?
As your publicly-traded company prepares to comply with the new SEC regulations, your first step should be to conduct a thorough cybersecurity risk evaluation of your IT environment, establish in-depth incident response plans, and deploy solutions and tools that offer full and detailed visibility into the entire estate and comprehensive reporting in an accurate and timely manner.
Sophos’ portfolio of managed security services and solutions – including Sophos MDR, Sophos Intercept X, Sophos XDR, and Sophos Firewall – are part of the Sophos Adaptive Cybersecurity Ecosystem where they share real-time threat intelligence for faster and more contextual and synchronized protection, detection, and response.
These products are powered by Sophos X-Ops threat intelligence, a cross-operational task force of more than 500 security experts within SophosLabs, Sophos SecOps, and SophosAI. Solutions are easily managed in the cloud-native Sophos Central platform, where users can get insights into their security posture, security investigations, and cyberthreats with weekly and monthly reports, real-time alerts, and easy management via a single, intuitive interface.
Sophos has several resources to help you protect against ransomware. You can find best practice guidance, an anti-ransomware toolkit, a link to our incident response services, and links to several of our ransomware-related reports here. Specific advice on configuring Sophos products to prevent ransomware is also available.
To learn more about Sophos’s intuitive security solutions, speak with a Sophos adviser or your Sophos partner today, or visit the Sophos website.
[1] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[2] https://www.sec.gov/files/33-11216-fact-sheet.pdf; see also, https://www.sec.gov/newsroom/press-releases/2023-13
[3] https://www.paulhastings.com/insights/ph-privacy/sec-speech-on-cybersecurity-disclosure#:~:text=The%20two%2Dpronged%20approach%20of,disclosure%20of%20a%20public%20company’s
[4] https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214#_ftn1
[5] https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2024-wp.pdf
[6] Id.
[7] https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure at §§ II.A.3, Appendices B and C.
[8] Id. at §§ II.C.1.c, II.C.2.c, II.C.3.c., Appendix D.
[9] Id. at §§ II.E.
[10] Id. at §§ II.E.
[11] see https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
[12] https://www.sec.gov/files/rules/final/2023/33-11216.pdf
[13] https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/cybersecurity-disclosure-rules/