The Securities and Exchange Commission (SEC) first proposed new cybersecurity disclosure rules on March 8, 2022. The comment period for the proposed rules closed on May 9, 2022.
The SEC then reopened the comment period on the proposed rules on February 9, 2023, and closed it on April 11, 2023.
Public company directors and executives have been highly anticipating the announcement of the finalized new rules and regulations.
On July 26th 2023 the SEC voted 3-2 to adopt new rules on cybersecurity disclosures.
The rules are designed to help investors make informed investment decisions by providing them with more information about the cybersecurity risks facing public companies. The rules also aim to encourage public companies to take steps to improve their cybersecurity posture.
The new rules will go into effect on December 1, 2023.
Board of directors should start preparing now to ensure that their companies are in compliance with the new rules.
What the New Rules Require
According to the new rules, public companies will have to disclose a cybersecurity incident within four business days of determining that the incident is material. A material cybersecurity incident is one that is likely to have a significant impact on the company’s business, financial condition, or operations.
The four day disclosure deadline is designed to ensure that investors have timely information about cybersecurity incidents that could impact their investment decisions. The SEC believes this will help protect investors from the financial risks posed by cybersecurity incidents.
The new rules also require public companies to disclose information about the following aspects of a cybersecurity incident:
The new rules also require public companies to disclose information about the board of directors’ oversight of cybersecurity risk. This includes information about the board’s role in assessing and managing cybersecurity risk, as well as the board’s expertise in cybersecurity.
What Does this Mean for Public Companies?
The new cybersecurity disclosure rules will have a significant impact on public companies. Companies will need to carefully consider the information they disclose about cybersecurity risks and incidents.
Companies that fail to comply with the new cybersecurity disclosure rules could face a number of consequences, including:
Overall, there is a range of views among companies about the new SEC cybersecurity disclosure rules. Some companies believe that the rules are a positive step, while others believe that the rules are too complex or could discourage companies from reporting cybersecurity incidents. It will be interesting to see how companies comply with the rules once they go into effect.
In a letter to the SEC the Securities Industry and Financial Markets Association (SIFMA) said, “The SEC is calling for public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies.”
Hope Jarkowski, NYSE Group general counsel, shared concerns in a letter stating, “Premature public disclosure of an incident without certainty that the threat has been extinguished could provide bad actors with useful information to expand an attack.”
In a separate letter to the SEC, Nasdaq echoed the concerns shared by the NYSE saying, “the obligation to disclose may reveal additional information to an unauthorized intruder who may still have access to the company’s information systems at the time the disclosure is made and potentially further harm the company.”
The SEC has addressed some of these concerns in the final rules. For example, the SEC has clarified that the four-day disclosure deadline is a “safe harbor,” and that companies will not be penalized if they disclose an incident after four days if they have a reasonable basis for believing that the incident is not material. The SEC has also clarified that the rules do not require companies to disclose sensitive information about cybersecurity incidents. However, some of the concerns about the new rules remain.
How Board of Directors Should Prepare
Board of directors should start preparing for the new cybersecurity disclosure rules now.
In terms of immediate actions, directors should start with board education to bring everyone up to the same cyber literacy level. Directors may want to consider bringing in outside experts to give the entire board an orientation and briefing.
Boards may also want to consider assigning a specific committee to own cybersecurity oversight.
Given that the new rules also require public companies to disclose information about the board’s role in assessing and managing cybersecurity risk, as well as the board’s expertise in cybersecurity, directors will be well served to beef up their qualifications.
Directors may want to consider taking external cybersecurity readiness courses and earning credentials. Consider also updating the directors biographies in the proxy and highlighting any previous experience a director may have i.e. previously serving as an executive / director at a cybersecurity company, etc.
Directors Focus on Oversight not Overstepping
The board of directors is responsible for providing oversight for the company but must never overstep into an operational role.
Board members need to know which questions to ask management so they can form a fulsome view of the company’s current posture.
Here are some suggested questions for the board to bring to management to serve as discussion starters:
Board of directors may want to consider incorporating the above topics in discussions with management to help ensure that their companies are in compliance with the new rules.
Cyber-related risk continues to be one of the top concerns businesses are facing. Board members have a huge amount of regulatory oversight to absorb and implement in the coming 6 months.
However, boards must not become so overwhelmed by compliance matters that they lose sight of their primary focus which should be being good stewards for the health and growth of the companies they serve.