Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

New SEC Rules: Material Incident Reporting Through Cybersecurity Disclosures

Published 05/13/2024

New SEC Rules: Material Incident Reporting Through Cybersecurity Disclosures

Originally published by Cyera.

Written by Jonathan Sharabi.

The Securities and Exchange Commission (SEC) rules set forth on July 26th, 2023, require that nearly all companies that file documents with the SEC (“registrants”) must describe the processes and management procedures they use to assess, identify, and manage cybersecurity risks. The new regulations aim to provide investors and market participants with timely and reliable information regarding the consequences of any material cybersecurity incident.


What are the new SEC requirements?

Concerning breach notification rules, SEC registrants must disclose information about material cybersecurity incidents within four business days. The SEC defines a material incident as an event that a reasonable investor would likely consider significant when making an investment decision, such as data breaches, ransom demands, and unauthorized access to systems. The report should include the incident's nature, extent, and timing.

Most importantly, registrants are also required to explain their reasoning when deciding that an incident is not material and not related to prior incidents. For example, if a data breach requires immediate response and extensive remediation efforts by a security team, it's considered reportable under SEC guidelines regardless of substantial financial loss or customer data theft.

Additionally, the SEC's new rules introduce regulation S-K item 106, which requires registrants to detail their methods for identifying, assessing, and managing substantial cybersecurity risks. This includes discussing the effects of these risks and any previous cybersecurity incidents, as well as explaining the board of directors' and management's roles in overseeing and managing these cybersecurity threats.


Which companies are required to comply?

The new rules affect all U.S. entities and foreign private issuers subject to the reporting requirements under the SEC’s Exchange Act. As per the SEC, foreign private issuers are any entities that are able to show that they have less than 50% U.S. ownership or, even if they have over 50% U.S. ownership, that they are not located or managed in the United States, or managed by U.S. personnel. The rules also apply to business development companies (“BDCs”), which are closed-end investment funds designed to enable retail investors to allocate funds to small and medium-sized private enterprises and invest in various other assets, including publicly traded companies.


What are the deadlines for complying?

Disclosure of material incidents for domestic registrants must be filed within four business days of determining that a cybersecurity incident is material. Registrants must begin complying by December 18, 2023. There are some exceptions, for example, for companies with less than $100 million in annual revenue.

In parallel, all registrants must provide cybersecurity disclosures in their annual reports for fiscal years ending on or after December 15, 2023.


What are the penalties?

When reporting material cybersecurity incidents to the SEC, companies must think about what kinds of data were affected and how this impacts their business and finances. Failure to comply with such guidelines may result in multi-million dollar penalties.


How can you ensure readiness with SEC disclosure requirements?

Deadlines to report incidents to the SEC are very strict, given that most incidents must be reported within days. Thus, companies should already have the people, processes, and tools in place to analyze an incident and file a timely report. Here are two key considerations for companies:

  • Identifying that a critical incident is material and otherwise being able to prove that it was not material can be complicated and challenging. It requires resources and tools to run detailed processes in order to find out what led to the incident, what data was potentially compromised, and what level of risk the compromised data poses to both the impacted company and individuals.
  • Reporting how the board of directors handles cybersecurity risks. This means management teams must have effective systems and processes ready to respond to SEC questions. They need to address what systems they have in place to understand the impacted data and how they can quickly remediate significant cybersecurity incidents.

Share this content on your favorite social network today!