SEC Adds Another Layer of Regulatory Requirements
Published On February 12, 2024
by Maliha Charania and Lucas Baiocchi
Cybersecurity is a critical issue for public companies as cyberattacks can cause significant financial, operational, legal, and reputational harm. The U.S. Securities and Exchange Commission (SEC) recognizes the importance of cybersecurity and has taken several steps to address it in the context of securities regulation.
In this article, we will discuss the SEC's adoption of new rules that require public companies to disclose material cybersecurity incidents and to provide annual disclosure of their cybersecurity risk management, strategy, and governance.
The SEC has been providing guidance and enforcement actions related to cybersecurity since 2011, when the Division of Corporation Finance issued interpretive guidance on the application of existing disclosure requirements to cybersecurity risks and incidents.
In 2018, the SEC issued additional interpretive guidance that reiterated and expanded on the 2011 guidance and emphasized the importance of maintaining comprehensive policies and procedures related to cybersecurity.
The SEC also created a Cyber Unit within the Division of Enforcement in 2017, which focuses on cyber-related misconduct, such as hacking, market manipulation, insider trading, and disclosure violations.
New SEC Rules
In the swiftly evolving landscape of cybersecurity, the Securities and Exchange Commission (SEC) has adopted a new set of rules that demand increased transparency from companies in disclosing cybersecurity incidents. The rules, aimed at both domestic registrants and foreign private issuers, have been designed to ensure that stakeholders are kept informed about material cybersecurity incidents in a timely manner.
According to the SEC, a domestic registrant can be one of the following types of entities:
- Any organization that is required to file a registration statement under the Securities Act because they issue securities.
- Anyone who needs to submit a registration statement or report under the Exchange Act due to their securities.
- Investment companies that have to file a registration statement or report under the Investment Company Act.
The official definition of 'domestic registrant' can be found in rule 17 CFR § 232.11, which is part of the rules for the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
A foreign private issuer describes a non-governmental organization formed or established outside of the United States that meets one of the following requirements:
- American residents hold less than half of the organization's outstanding voting securities or
- The majority of the organization's top management or board members are not U.S. citizens or residents, its primary assets are located outside the U.S., and its business operations are predominantly conducted outside the U.S.
In short, any organization that must file SEC forms is subject to the new rule.
Disclosure of Material Cybersecurity Incidents
For domestic registrants, the disclosure of a material cybersecurity incident must be filed on Form 8-K within four business days of determining its materiality. As per Item 1.05 on Form 8-K, such disclosures are required to cover the material aspects of the incident's timing, scope, and nature, as well as the impact or likely impact on the registrant's financial condition and operational results. It is crucial to note that registrants are not mandated to disclose technical details that could potentially compromise their response to the incident.
Foreign private issuers, on the other hand, are required to provide a Form 6-K promptly after the incident is disclosed or otherwise publicized in a foreign jurisdiction, to any stock exchange, or to security holders. The term “material cybersecurity incident” has been added to the list of events that trigger this kind of disclosure.
The SEC rules also mandate the annual disclosure of cybersecurity risk management, strategy, and governance. For domestic registrants, this disclosure is made on Form 10-K, while for foreign private issuers, it is made on Form 20-F. All registrants are required to begin providing these disclosures with annual reports for fiscal years ending on or after December 15, 2023.
Enhancing the transparency and accessibility of these disclosures, the new rules require them to be tagged with Inline eXtensible Business Reporting Language (Inline XBRL). All registrants are required to start tagging their annual disclosures in Inline XBRL for fiscal years ending on or after December 15, 2023. Furthermore, all registrants must begin tagging their material cybersecurity disclosures in Inline XBRL by December 18, 2024.
By implementing these rules, the SEC aims to enforce greater accountability and transparency in managing cybersecurity risks, ultimately helping to protect investors and maintain fair, orderly, and efficient markets.
Annual Disclosure of Cybersecurity Risk Management, Strategy, and Governance
For domestic registrants, this disclosure is made on Form 10-K. For foreign private issuers, this disclosure is made on Form 20-F. All registrants are required to provide these disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
The new rules also require the disclosures to be tagged with Inline eXtensible Business Reporting Language (Inline XBRL). All registrants are required to begin tagging their annual disclosures in Inline XBRL for fiscal years ending on or after December 15, 2023. Additionally, all registrants must start tagging their material cybersecurity disclosures in Inline XBRL by December 18, 2024.
Practical Tips for Complying with the New Rules
Effective Cybersecurity Governance Starts at the Top
Effective cybersecurity governance starts with the board of directors. It is essential for the board to understand the importance of cybersecurity risk, highlight its significance, and lead the charge in creating a cybersecurity risk management program.
Together with the IT department, legal counsel, and senior management, the board can evaluate the level of cyber risk and devise appropriate policies and procedures to address these risks.
Developing a risk-aware culture is also important for effective cybersecurity governance. Every employee must be made aware of policies and procedures through training, awareness, and accountability.
Develop a Cybersecurity Risk Management Strategy
A risk assessment of the company should be performed, identifying key assets, potential vulnerabilities, and present and remote threats. After the risk assessment is complete, procedures should be established for how to mitigate the risks. These plans must be tested regularly, and appropriate policies and procedures established to evaluate and report on the efficacy of these procedures on a periodic basis.
Meditology offers risk assessment options, such as the NIST Cybersecurity Framework (NIST CSF), HIPAA GAP Analysis, 405(d) HICP and NIST 800-53 designed to help you identify and mitigate potential threats. They also help you identify and preemptively address risks to patient data before they evolve into costly incidents. Take the first step towards strong cybersecurity with Meditology and experience the peace of mind that comes with comprehensive risk management.
Finally, companies must prepare for the worst-case scenario by establishing an incident response plan. The plan should be developed and rehearsed before any incidents occur, and should include steps for containing, assessing, and reporting incidents to all stakeholders, including the SEC and other law enforcement authorities, as applicable.
Incident Disclosure Should Be a Priority
Since 2011, the SEC has insisted that companies report all cybersecurity incidents that might have an impact on their clients, including investigations and lawsuits. The SEC deems it essential that investors and the public at large have information on actions taken to lessen the threat of cyber breaches. Depending on the severity of the incident, immediate notification is critical.
Meditology Services can assist you with incident response. We can write an incident response plan, update your existing plan, and we can assist you with planning and conducting tabletop tests of the plan. Validation of your incident response preparedness by a third party will provide the SEC and general public with confidence that you are taking action to protect your organization against cyber threats.
Shareholders, regulators, and customers must be notified within 24 hours of the detection of a severe data breach. Failure to report any involvement entails serious consequences, including financial penalties, regulatory repercussions, and damage to the organization's reputation.
Determine the Right Technology to Mitigate Risk
Choosing the right technology to harness data, identify issues, and prevent cyber threats can be a game-changer when creating a cybersecurity strategy. The tech stack should address risk and identity management, security information and event management, intrusion detection and prevention, advanced endpoint security, and automated alerting.
The reality is that cybersecurity risk is unavoidable for public companies. Developing effective governance structures, outlining cybersecurity risk management strategies, placing emphasis on incident reporting, and using appropriate technology stacks are vital steps companies must take to mitigate cybersecurity risk.
By embracing cybersecurity risk mitigation, public companies can achieve significant benefits, from reduced cybersecurity threats to a more secure and predictable environment for the organization's people, property, and business processes.
About the Authors
Maliha Charania, MSIS, MSCS, HITRUST | Director, IT Risk Management
Maliha serves as the leader of Risk Advisory Services. She has designed, led, and implemented numerous global IT security and risk management initiatives in both healthcare and academia. Maliha has over 14 years of experience with extensive technical security knowledge and has served as a Subject Matter Expert in matters of IT security and compliance for many healthcare providers, business associates, and payers of varying sizes and across the world. Maliha has extensive knowledge in various standards and legislation including HIPAA, GDPR, ISO, NIST, and HITRUST. Maliha’s combination of consulting and hands-on experience at an international level is what distinguishes her in the IT Risk Management and Cybersecurity field.
Lucas Baiocchi, HCISPP, CCSFP| Manager, IT Risk Management
Lucas is a seasoned information security, governance, and risk management leader at Meditology Services. While working as a Manager for Meditology, he has found a specialization in building and implementing risk management functions for entities from start-up to national enterprise. Working with Meditology for the past 6 years, he has found himself deeply involved in NIST CSF, NIST 800-53, HITRUST, HIPAA, Promoting Interoperability, and CEHRT attestation while currently holding a HealthCare Information Security and Privacy Practitioner (HCISPP) and Certified CSF Practitioner (CCSFP) certification. With a lifelong passion for artificial intelligence, cryptographic technologies, and advanced malware threats, he finds meaning in ensuring his clients have the most comprehensive yet feasible information security controls against the ever-changing threat landscape and regulatory environment.
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure https://www.sec.gov/corpfin/secg-cybersecurity
- Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure https://www.sec.gov/files/rules/final/2023/33-11216.pdf
- SEC Adopts Rules for Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure https://www.skadden.com/insights/publications/2023/07/sec-adopts-rules-for-cybersecurity-risk-management
- SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies https://www.sec.gov/news/press-release/2023-139
- Inline XBRL https://www.sec.gov/structureddata/osd-inline-xbrl.html