New SEC Rules: Material Incident Reporting Through Cybersecurity Disclosures

Jonathan Sharabi
,
Feb 1, 2024
February 1, 2024
New SEC Rules: Material Incident Reporting Through Cybersecurity Disclosures

The Securities and Exchange Commission (SEC) rules set forth on July 26th, 2023, require that nearly all companies that file documents with the SEC (“registrants”) must describe the processes and management procedures they use to assess, identify, and manage cybersecurity risks. The new regulations aim to provide investors and market participants with timely and reliable information regarding the consequences of any material cybersecurity incident.

What are the new SEC requirements?

Concerning breach notification rules, SEC registrants must disclose information about material cybersecurity incidents within four business days. The SEC defines a material incident as an event that a reasonable investor would likely consider significant when making an investment decision, such as data breaches, ransom demands, and unauthorized access to systems. The report should include the incident's nature, extent, and timing.

Most importantly, registrants are also required to explain their reasoning when deciding that an incident is not material and not related to prior incidents. For example, if a data breach requires immediate response and extensive remediation efforts by a security team, it's considered reportable under SEC guidelines regardless of substantial financial loss or customer data theft.

Additionally, the SEC's new rules introduce regulation S-K item 106, which requires registrants to detail their methods for identifying, assessing, and managing substantial cybersecurity risks. This includes discussing the effects of these risks and any previous cybersecurity incidents, as well as explaining the board of directors' and management's roles in overseeing and managing these cybersecurity threats.

Which companies are required to comply?

The new rules affect all U.S. entities and foreign private issuers subject to the reporting requirements under the SEC’s Exchange Act. As per the SEC, foreign private issuers are any entities that are able to show that they have less than 50% U.S. ownership or, even if they have over 50% U.S. ownership, that they are not located or managed in the United States, or managed by U.S. personnel. The rules also apply to business development companies (“BDCs”), which are closed-end investment funds designed to enable retail investors to allocate funds to small and medium-sized private enterprises and invest in various other assets, including publicly traded companies.

What are the deadlines for complying?

Disclosure of material incidents for domestic registrants must be filed within four business days of determining that a cybersecurity incident is material. Registrants must begin complying by December 18, 2023. There are some exceptions, for example, for companies with less than $100 million in annual revenue.

In parallel, all registrants must provide cybersecurity disclosures in their annual reports for fiscal years ending on or after December 15, 2023. 

What are the penalties?

When reporting material cybersecurity incidents to the SEC, companies must think about what kinds of data were affected and how this impacts their business and finances. Failure to comply with such guidelines may result in multi-million dollar penalties.

How can you ensure readiness with SEC disclosure requirements?

Deadlines to report incidents to the SEC are very strict, given that most incidents must be reported within days. Thus, companies should already have the people, processes, and tools in place to analyze an incident and file a timely report. Here are two key considerations for companies:

  • Identifying that a critical incident is material and otherwise being able to prove that it was not material can be complicated and challenging. It requires resources and tools to run detailed processes in order to find out what led to the incident, what data was potentially compromised, and what level of risk the compromised data poses to both the impacted company and individuals.
  • Reporting how the board of directors handles cybersecurity risks. This means management teams must have effective systems and processes ready to respond to SEC questions. They need to address what systems they have in place to understand the impacted data and how they can quickly remediate significant cybersecurity incidents.

How Cyera helps you comply with the new SEC rules

Cyera enables companies to analyze and accelerate their response to material incidents that involve the compromise of data. Our solution helps companies adhere to the new SEC rules with:

Visibility to Regulated Data: Cyera provides visibility into all data, especially regulated data. It includes what data a company holds, where it is located, who has access to it, and how it is used. This proactive stance is crucial for understanding the impact of a material incident.

Context about Data and Risks: Cyera generates context about your data, such as the residency and data subject role of your data, as well as the classes of data that were compromised. For example, Cyera categorizes credit card information, social security numbers, and other information that may be flagged as high risk, increasing the urgency to report the material incident. 

Efficient Prevention and Response: Cyera helps identify any misconfigurations that could lead to a material incident, minimizing the risk of a breach and impeding access to sensitive data by unauthorized persons. Cyera also identifies vulnerabilities and implements timely remediation actions to close security gaps. This becomes crucial for reducing the blast radius of an incident. 

To learn more about how you can better audit your data and prepare against material incidents under the SEC rules, schedule a demo today.