By Tara Wisniewski, EVP, Advocacy, Global Markets and Member Engagement, ISC2
The U.S. Securities and Exchange Commission (SEC) last week voted to adopt significant new rules relating to how publicly traded companies act and disclose cybersecurity-related risk and incidents.
While U.S. healthcare providers, financial services firms and other critical infrastructure operators must, by law, report data and network breaches, no all-encompassing U.S. federal breach or incident disclosure law currently exists.
However, the new rules passed by the SEC commissioners leave considerable ambiguity, particularly regarding the definition and measure of risk, along with not making a definitive ruling on cybersecurity skills and experience requirements for public company boards. The new rules in their current form remain open to broad interpretation and variance from one industry to another.
What Members Should Know
- The new rules expand cybersecurity risk management, strategy, governance, and incident disclosure requirements for U.S. public companies.
- They require that public companies disclose cybersecurity incidents using an Item 1.05 Form 8-K within four days of determining if an incident has occurred and is material.
- Organizations must determine what materiality means to an organization, then determine the materiality of an incident without unreasonable delay, though ‘unreasonable’ is undefined in the new rules.
- Disclosure delays of up to 60 days, longer in extraordinary circumstances, will be permitted if immediate disclosure poses serious national security or public safety risks but would require an application to the U.S. Attorney General. This will require members to work with their organization’s legal counsel` to ensure compliance and appropriate use of disclosure extensions.
- The SEC’s decision narrows the legislative disclosure gap with other international legislation, namely the E.U.’s GDPR, meaning members may be able to merge their reporting and disclosure processes across multiple jurisdictions.
- While previously published language was diluted in the final version, the SEC ruling still amplifies the need for more board-level cybersecurity understanding in U.S. public companies. Organizations will need to factor this into training and recruitment plans going forward.
What Members Can Do
- If not already in place, members with compliance and incident response responsibilities should review their organizational stance on how an incident’s materiality is determined. This should include identifying who in the organization determines an incident to be material, and what thresholds are used in making the materiality consideration. Having clear sight of this threshold will provide the best opportunity to meet the four-day deadline for disclosure.
- U.S.-listed companies will need to update and factor incident risk and disclosure into their processes and policies moving forward. ISC2's Certified in Governance, Risk and Compliance (CGRC) certification offers a long-term path for skills development and competency in the risk management process aspects of the SEC rules.
- Immediate training initiatives like our Skill Builder on GRC will provide an immediate opportunity for members to learn and develop additional competency, making compliance and understanding of these rule changes easier.
- In preparation for working with the new rules, ISC2 has developed pre-conference training for CISOs and risk specialists ahead of ISC2's Security Congress in October. These sessions will cover effective communication strategies, cybersecurity risk management, incident response and crisis management, along with other topics aligned with the SEC ruling.
- Members attending Congress can benefit from two dedicated sessions: SEC Board Cyber Reporting Rule Changes to Transform Your Security Culture on the first day, along with Communication Strategies for Effective Board Reporting on day three.
The ISC2 Point of View
Understanding the nature, scope and ramifications of material cyber incidents and the effect those incidents have, both financial and reputational, is important for investors, customers and the wider public. However, with loose definitions and a short timeframe for disclosure, these new rules will create more ambiguity for cyber professionals and boards at a time of intense pressure, i.e., while responding to a cyber incident. The short timeframe for disclosure might force organizations to report an incident thought to be material, which on further investigation is not. This might have reputation ramifications, both for the organization and individuals. A lack of clarity around these terms risks both over- and -under-reporting as different organizations in different industries manage risk in different ways.
We are also concerned that waivers for smaller organizations – which represent a sizable portion of the U.S. economy – contain no definition of what a smaller organization is. The SEC website has a definition for smaller reporting companies, but members should clarify with the SEC regarding which category their organization, or organizations for whom they consult, fit.
A straw poll of ISC2 members in April 2023 examining some of the draft proposals revealed that while the overwhelming majority of those who gave their thoughts on the four-day reporting requirement for material breaches were supportive of the idea, some suggested the period was too short for an adequate investigation. Regarding a lack of board-level cybersecurity expertise, 82% of respondents said that companies should seek out board level cybersecurity expertise with 68% willing to take on such a board role for their organization.