Making sense of SEC cyber reporting rules

The Securities and Exchange Commission (SEC) has adopted rules requiring companies to disclose “material cybersecurity incidents.” This requires a comprehensive cybersecurity disclosure within four days of discovering the incident and for companies to provide an annual update about their “cybersecurity risk management, strategy, and governance.” Publicly traded companies and “foreign private issuers” must comply with the new rules. 

Cybersecurity Dive noted these guidelines are “designed to ensure investors and other members of the public are informed about these events in a much more timely and consistent manner.” Read on to better understand the rules and gain insights into how to better protect sensitive data (hint: use a password manager!) against cybersecurity incidents.

According to the SEC website, the rules are:

• Registrants must disclose on Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and describe the aspects of the incident’s nature, scope, and timing, as well as its material impact on the registrant.

• Item 1.05 Form 8-K is generally due four business days after a registrant determines that cybersecurity incidents are material.

• Regulation S-K Item 106 requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects of risks from cybersecurity threats that could impact the company's business strategy, results of operations, or financial condition, and previous cybersecurity incidents.

• Item 106 also requires registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

• The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

In its official press release about the rules, SEC Chair Gary Gensler compared a company losing a factory in a fire to losing millions of files during cybersecurity incidents, noting both situations are plausibly material to investors. Questions of materiality can be complex and ambiguous. Discerning the technical impact of breaches takes time, as does determining the financial impact. According to the Wall Street Journal, the main takeaway of materiality is that the SEC wants investors to know if a cyber incident has affected a company’s financial health and performance.

“The SEC gave companies discretion to determine whether a hack is material as long as the definition conforms to established case law and legislation enacted in the 1930s,” said James Rundle and Kim Nash with the Wall Street Journal. “That is, information is material if a reasonable person considers it important when making an investment decision or if it would significantly affect publicly available company information. Any doubts should be resolved in the favor of the investor.”

Companies must also consider whether a cybersecurity incident poses a substantial risk to national security or public safety, which could justify delaying disclosure.

The SEC has underscored the critical role of a robust cybersecurity risk management strategy in safeguarding investors and ensuring the stability of financial markets. Under these rules, companies must disclose their cybersecurity strategy and governance processes in annual 10-K filings. This requirement aims to provide transparency about how companies identify, assess, and manage material risks from cybersecurity threats.

A well-defined data security strategy involves several key components. First, companies must establish a comprehensive process that includes regular assessments to identify potential vulnerabilities. This proactive approach helps pinpoint areas that cyber threats could exploit. Companies should also implement strong internal controls and policies to mitigate identified risks, such as employee training programs to raise awareness about cybersecurity best practices and use advanced security technologies to protect sensitive data.

The SEC’s emphasis on cybersecurity risk management highlights the need to continuously monitor and update security measures. As cyber threats evolve, so too must the strategies to counter them. By maintaining a dynamic and responsive cybersecurity incident response plan, companies can better protect their assets, mitigate threats, and ensure compliance with SEC regulations.

Effective cyber governance and reporting are integral to a company’s cybersecurity strategy. The SEC rules strongly emphasize transparency and accountability in cybersecurity reporting. Registrants must ensure that their cyber governance and reporting processes are robust and effective in communicating the company’s cybersecurity posture to investors and stakeholders.

Cyber governance involves overseeing and managing cybersecurity vulnerabilities at the highest levels of the organization. This includes the board of directors and senior management, who must be actively involved in assessing and managing material risks from cybersecurity threats. The SEC requires companies to disclose the board’s oversight role and management’s expertise in their annual reports. This transparency helps build investor confidence by demonstrating that the company is making cybersecurity a business imperative.

Regarding reporting, companies must provide detailed disclosures about cybersecurity incidents and risk management practices. This includes timely incident disclosure, a thorough description of practices to identify and manage material cyber threat risks, and the impact of previous security incidents.  

By adhering to these reporting requirements, companies can ensure they provide investors with the information needed to make informed decisions. Effective cyber governance and reporting enhance compliance with SEC regulations and contribute to the organization's overall resilience and security.

Stopping all cybersecurity incidents is unrealistic, so businesses should be familiar with the SEC cybersecurity rules for reporting. However, there are steps companies can take better to protect their data from internal and external threats. One of the most effective tactics is to deploy an enterprise-wide password manager. Enforcing strong employee password policies allows companies to establish a first line of defense against data breaches. Enabling employees to create, manage, and store strong and unique passwords in an encrypted vault ensures companies can protect against the proliferation of weak or reused passwords. This is critical, as data points to insecure credentials' role in facilitating cybersecurity incidents. According to the Verizon 2024 Data Breach Investigations Report, stolen credentials accounted for initial access in 77% of web application breaches. 

When used consistently, password managers offer security and transparency. They can also help prevent material breaches, empowering businesses to minimize risk confidently. By offering a strategy for managing material risks from cybersecurity threats, companies are also in a better position to demonstrate that they have a coherent security incident response plan in place.

Ready to simplify your security with a password management solution? Get started with a free business trial to help your team stay safe online, or quickly sign up for a free individual account. Still have questions? Check out the live weekly demo to speak directly with the Bitwarden team.