Understanding the New SEC Rules for Disclosing Cybersecurity Incidents
… and what this means for your incident detection and response
The U.S. Securities and Exchange Commission (SEC) recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. Some requirements apply to this year—for example, disclosures for fiscal years ending December 15, 2023 or later have new annual reporting requirements. As a result, organizations are wondering about how these new rules impact them.
In this post, we’ll help unpack the new rules, what they mean to you, and what your DevOps and DevSecOps teams might need to implement in response.
Understanding the SEC announcement
In the press release, SEC Chair Gary Gensler has a quote that helps to summarize why the new rules are being implemented:
Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.
Section I of the SEC’s Final Rule document helps us further understand the impetus for these new rules. Let’s summarize some of the key points:
Cybersecurity incidents have been reported inconsistently.
Cybersecurity incidents are also likely underreported.
Economic activity is increasingly dependent on electronic systems that are susceptible to cyber risk.
The frequency and financial impacts of cyberattacks are on the rise.
With that in mind, it makes sense why the SEC would want to standardize how incidents are reported. Let’s take a closer look at some of the new rules’ specifics.
What is a “material cybersecurity incident”?
The new rules establish requirements for reporting material cybersecurity incidents. For tech folks, a phrase like “material cybersecurity incident” can be tough legalese to decipher.
It’s clear that a breach compromising millions of sensitive records or costing tens of millions of dollars is material, but at what point is a breach not considered material? Fortunately, we have some precedents to help guide our interpretation. The concept of “materiality” has long been important when it comes to SEC regulations. Typically, the key characteristics of “materiality” are summarized by these two quotes from Justice Thurgood Marshall in a 1976 opinion indicating a fact is material if:
There is a “substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote.”
A reasonable investor would see the fact as “having significantly altered the ‘total mix’ of information made available.”
Note that no specific dollar amount makes an incident material. Additionally, multiple connected immaterial incidents can become material in context. One example that the SEC’s Final Rule cites includes a single threat actor engaging in multiple smaller but continuous attacks against an organization.
For “cybersecurity incident,” the SEC defines the term for us: “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
What is the timeframe for reporting an incident?
Once an incident is deemed “material,” affected organizations have to file SEC Form 8-K within four business days. Some exceptions to this timeframe exist, and they’re related to national security reasons and a provision for omitting information related to national defense and foreign policy.
What organizations are affected?
Public companies are affected by the new SEC rules. That includes foreign private issuers (FPIs), a type of company registered outside of the U.S. but doing significant business inside the U.S.
How does an organization disclose this information?
The reporting requirements in the new SEC rules call out different forms that organizations must complete to disclose relevant information. They even include a requirement for disclosures to use the Inline eXtensible Business Reporting Language (Inline XBRL).
Let's break down the key forms related to the new SEC rules and when they're required. Note that the forms aren't new, but the new SEC rules have added new requirements related to cybersecurity disclosures.
Form 8-K
What is this form used for?
To disclose information related to any material cybersecurity incident
To describe the material aspects of the reported incident
To describe the scope, nature, and timing of the incident
To describe the likely impact, including any impact on finances and operations
Item 1.05 of Form 8-K must be filed within four business days of a cybersecurity incident being deemed material.
Form 10-K
What is this form used for?
To fulfill annual reporting requirements from Regulation S-K Item 106
To disclose processes for assessing, identifying, and managing cybersecurity risk
To disclose effects or likely effects of cybersecurity threats and past incidents
Describe the board of director's role in cybersecurity risk oversight
Describe the role of management in the assessment and management of cybersecurity threats
This form is required to be filed annually.
Form 6-K
This form is similar to Form 8-K, but for foreign private issuers. It is required to be filed after a material cybersecurity incident.
Form 20-F
This form is similar to Form 10-K, but for foreign private issuers. It is required to be filed annually.
How is this different from other standards in the past?
For publicly traded companies, rules and regulations are nothing new. Many organizations already face strict reporting requirements related to regulations such as HIPAA, PCI DSS, and SOX. Some of the most meaningful changes for publicly traded organizations include:
Standardization in reporting requirements: Previously, cybersecurity incidents were reported with varying levels of detail and frequency. The new SEC rules standardize how (based on the forms) and when an organization must report incidents.
Well-defined annual reporting updates: Publicly traded organizations now must report on cybersecurity practices and impact annually through Form 10-K or Form 20-F.
Now, let's get down to brass tacks. If you're a CISO or a part of your organization's Security, DevSecOps, or Governance Risk and Compliance team, what are the practical implications of these new rules?
How do the new SEC rules affect your cybersecurity measures?
The new SEC rules for public companies effectively create cybersecurity, disclosure, and governance requirements that organizations must address in their internal processes and policies. For example, the new rules mean that affected organizations must quickly detect and analyze cybersecurity incidents. Incident response and analysis capabilities need to be mature enough to enable disclosure of the "nature, scope, and timing" of the event for adequate disclosure.
The emphasis on board and management involvement also creates governance requirements for organizations. This may increase C-suite support for cybersecurity initiatives that may have otherwise languished. As a result, this increased emphasis on governance may drive an increased focus on leveraging the right tactics and tools to enable effective detection, prevention, and disclosure of cybersecurity threats.
What tooling can help you adhere to the new rules?
From a tooling perspective, the new SEC rules should drive organizations to focus on the following:
Incident detection and prevention, including the ability to identify and mitigate vulnerabilities before they become full-blown incidents.
Incident response, which covers the ability to recover from cybersecurity incidents and capture the relevant data to disclose its "nature, scope, and timing" to shareholders.
Let's look at some of the tools and practices most relevant to enabling incident detection, prevention, and response.
Continuous monitoring
Continuous monitoring of IT infrastructure is essential to threat detection, root cause analysis, and incident response. With continuous monitoring platforms, enterprises can verify that adequate security controls are in place. That way, they can detect anomalies and improve MTTR if an incident occurs.
SIEM
A SIEM tool aggregates log data across an environment, enabling alerting, reporting, analysis, and data retention capabilities. When coupled with effective logging, SIEM platforms provide many of the capabilities organizations need to comply with the new SEC cybersecurity rules. For example, a SIEM platform can provide continuous log data monitoring, correlating alerts and security events from across all of your enterprise security tools. It will help you investigate and repsond to threats quickly. Some Cloud SIEM platforms can even extend traditional SIEM capabilities for modern enterprises with user and entity behavior analytics (UEBA) to detect unknown threats.
Why logging is essential for cybersecurity
Log management is a critical part of any organization's cybersecurity toolkit. Logging helps enterprises capture and retain key security and compliance data, and it enables the alerting and analytics capabilities of tools such as intrusion prevention or intrusion detection systems (IPS/IDS) and SIEM platforms. Robust log centralization and management tools are essential for your cybersecurity posture.
And, logging isn't just relevant to the new SEC rules. Guidelines, requirements, and frameworks (such as FedRAMP, PCI DSS, ISO 27001, HIPAA, and GLBA) may include some logging and data retention requirements for an organization.
Conclusion
The new SEC rules help standardize cybersecurity incident disclosures and emphasize the importance of governance in addressing cybersecurity risk. For publicly traded organizations, these rules add specificity and structure to handling cybersecurity incidents and reporting on cybersecurity posture.
The right tools, specifically platforms that enable effective logging and incident response, are essential to tying together a cybersecurity strategy that mitigates risk and enables adherence to the new rules.