New SEC Cybersecurity Rule
The future of non-financial data disclosure
Last month, the US Securities and Exchange Commission (SEC) adopted new rules mandating companies, including foreign private issuers, to disclose material cybersecurity incidents they experience, as well as cybersecurity risk management, strategy, and governance.
In its press release, SEC Chair Gary Gensler said: “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
InpsIR addresses below some of the key questions around this new set of rules and provides context on what companies listed in US exchanges can expect.
1# What is the SEC Cybersecurity Rule and how does it affect my reporting practice?
The new rule mandates disclosing any material cybersecurity incident including its “nature, scope, and timing, as well as its material impact or reasonably likely material impact” on the company, within four days of determining such an incident, on the new Item 1.05 of Form 8-K. What is considered material? This should be decided and documented by the company and should not be the responsibility of only one person. It should at least involve the CFO, General Counsel, CISO, CIO and other top management officers. Relevant processes should also be included as part of the cybersecurity risk governance framework. The rules do not require companies to disclose sensitive information about cybersecurity incidents.
Additionally, issuers will need to periodically disclose “their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents”. On top of that, the same item also requires “to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats”. These disclosures will be required in a registrant’s annual report on Form 10-K.
Foreign Private Issuers should disclose similar requirements on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy and governance.
The rule is aligned with cybersecurity becoming an increasingly material topic for companies around the world and with exchanges and regulators extending rules to any event that they consider a significant threat to operations, which investors need to know about. It is also relevant for companies quoted in local stock exchanges (in Latin America, for example), as given the higher demand for ESG information from the investment community, companies that are not required to make cybersecurity-related disclosures should still address this topic thoroughly to remain competitive. Investors and analysts will only analyze data when it is made available in a standard and comparable manner.
Adopted by the SEC on July 26,2023, the new rule becomes effective the later of 90 days after the date of publication or December 18, 2023 (180 days for smaller reporting companies). The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
2# How should we prepare our Boards for cybersecurity risk if we have not already done so?
Board education on cybersecurity risk is one of the first items that should be on your list to improve cybersecurity governance and the board’s ability to react to this rule and its consequences. Everyone on the board (and ideally every member of the top management) should have the same level of cyber literacy. The board may also want to consider assigning a specific committee to own cybersecurity oversight. Consider also updating directors’ bios and credentials to highlight any previous cybersecurity experience.
Board members also need to know which questions to ask management so they can have a comprehensive understanding of the company’s current cybersecurity risk and preparedness. What does the CISO consider are the biggest cybersecurity risks the business needs to monitor Which ones are most likely to happen and which ones could have the most significant financial impact? The board should also ask the CISO to assess and present recommendations for cybersecurity investment, understand the post breach protocol and who is the communications team in charge in case of a significant security breach.
3# What can we expect now?
Over the past few years, market regulators and exchanges worldwide have been providing rules and guidelines around ESG-related disclosures. However, this new SEC rule provides a specific framework that mandates issuers to disclose a matter than can be initially considered non-financial and it begs the question of whether this initiative marks a beginning for security regulators to issue rules around other sustainability-related material topics.
Issuing new rules and having the proper frameworks to address non-financial sustainability-related material topics will take time, so issuers should start implementing the necessary processes to be ready to comply not only with stock market rules and regulations but even more importantly, with market demands and expectations. There is no secret recipe to ESG reporting success, but rather, just like companies have done with financial reporting, building the tools and systems to gather, report and audit sustainability-related data as an embedded process inside your company’s reporting practices. Understanding your company’s sustainability journey, industry standards, and peer practices is an integral part of such a process.
InspIR will take your ESG communications to the next level. Contact our experienced team today to discover how we can help you.
Zelmira Silva, Partner & ESG Advisory Lead: email@example.com