Here’s what to know about the SEC’s new cybersecurity disclosure requirements

On Sept. 5, the Securities and Exchange Commission’s (SEC) long-awaited final rules on which information about public companies’ cybersecurity strategy, risk management, and incidents need to be disclosed to investors went into effect.

The new regulations are designed to push boards and corporate officers to treat the safety (or lack thereof) of their data and operations as a material part of their business, relevant to investors.

Most publicly traded companies will be required to file a Form 8-K to notify the SEC and investors within four days of determining a cyber incident is material (meaning it is information a reasonable investor would consider important). Firms are also required to periodically disclose information about how cyber risks are identified and managed, the current risk environment, and how their board of directors and management teams execute cybersecurity strategy.

Other proposals, such as requiring companies to identify board members with specific cybersecurity expertise, were ultimately abandoned.

“It’s the same framework that applies to basically every other sort of disclosure obligation that a company has, for the most part, under the SEC’s requirements,” Dave Lynn, the chair of law firm Morrison & Foerster’s Public Company Advisory and Governance practice, told IT Brew.

According to Lynn, the rules create an affirmative obligation to disclose material cyber incidents around the time they’re discovered, where previously it was voluntary. However, he doesn’t expect a flood of new disclosures, as companies determine few cyberattacks to be material, and the “regulatory gray area” under previous SEC cybersecurity guidance meant they disclosed many of them anyhow. The SEC’s new rules will get that information into the hands of investors sooner.

“It’s inevitably going to cause people to go back and hone their materiality analysis and beef up…their controls and procedures around how this information is communicated internally,” Lynn said. “That might prompt people when they make their materiality analysis to be more circumspect about when they don’t disclose things, because they’re trying to figure out, ‘Is this something that I’m exposed to from an enforcement perspective?’”

The rules also have an anti-insider trading bent, as the emphasis on disclosure of material incidents in a timely manner is designed to make it more difficult to profit off knowledge of a breach.

The SEC isn’t expecting a “detailed roadmap,” Chris Hetner, former senior cybersecurity adviser to the chair of the SEC and current cyber risk special advisor to the National Association of Corporate Directors (NACD), told IT Brew. Instead, it wants to “force the companies to think about how this negatively impacts their balance sheet.”

Companies must disclose “how you’re effectively overseeing this thing called cyber, how you’re maintaining business resilience, or how you’re protecting intellectual property, your crown jewel, so that your value is maintained,” Hetner said.

Hetner said the substance of engagement between boards and senior cybersecurity execs, and whatever metrics are used, will be critical and potentially “seismic.” A joint WSJ Pro/NACD poll recently found wide disparities in corporate boards’ preparedness to deal with cyber incidents, while other research has indicated many boardrooms have yet to reach consensus on their role in overseeing security.

He advised that companies start viewing cybersecurity in terms of business and financial impact, with best practice for boards being to include cyber issues alongside others like supply chains in their focus committee on risk management.

Security operations centers should “be enriched with business intelligence [and] more risk-based context to how these events can manifest and introduce harm to the enterprise,” Hetner added.

“It’s less [about] adding more staff than just integrating the right staff,” Lynn told IT Brew.