How Your Organization and Vendors Can Comply With the SEC Data Breach Notification Rule

On July 26, the Securities and Exchange Commission (SEC) released its final rule for disclosure related to cybersecurity incidents for all publicly traded companies. According to the final rule, the requirements are in response to three specific trends:

Note: The italics indicate what’s directly from the final rule.

• “First, an ever-increasing share of economic activity is dependent on electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole.”
• “Second, there has been a substantial rise in the prevalence of cybersecurity incidents, propelled by several factors: the increase in remote work spurred by the COVID-19 pandemic; the increasing reliance on third-party service providers for information technology services; and the rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and crypto-asset technology.”
• “Third, the costs and adverse consequences of cybersecurity incidents to companies are increasing; such costs include business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage.”

The rule was revised, and the scope of disclosed information was narrowed, since its proposal in March 2022. The newly adopted rule is still intended to provide consistent and comparable disclosures that would help investors evaluate an organization’s exposure to cybersecurity risks and incidents. It would also help evaluate an organization’s ability to manage and minimize those risks. That should enable investors to make informed decisions.

Summary of Requirements for Your Organization and Vendors

• Investigate immediately – After discovering an incident, organizations should promptly assess if it’s considered material and file an Item 1.05 Form 8-K within four business days. The clock starts ticking from the day the incident is determined as material – not within four days of the incident.
• Comply with regulations – When determining materiality, it’s important to follow federal securities guidelines, which consider both quantitative and qualitative factors.
• Delay only if necessary – To delay the filing of an Item 1.05 Form 8-K, an organization must receive written notification from the U.S. attorney general stating that immediate disclosure would pose a significant risk to public safety or national security.

When an incident occurs, organizations must provide:  

• A detailed description of what happened, including the extent and timing of the incident's impact on the organization. If the necessary information isn’t known yet, the 8-K filing should disclose this fact. Organizations should update it later when more information is determined or available.
• The organization’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including: 
  
  • If cybersecurity is included in the comprehensive risk management plan, if external consultants, auditors, or third parties are involved, and if there are processes in place to monitor and detect risks associated with third-party usage.
  • Details regarding the extent cybersecurity threats have been exerted or are anticipated to significantly influence the organization’s business strategy, financial condition, or operations. 
  • Disclosure of the board's responsibility for overseeing cybersecurity risks and management's role in evaluating and addressing significant cybersecurity threats.
  • The qualifications of the individuals in charge of the organization’s cybersecurity management.

Next Steps for Your Organization and Vendors to Prepare for Compliance With the SEC Rule

The rule becomes effective on August 28, 2023, 30 days after its initial publication. Beyond reading and reviewing both the adopted rule and the fact sheet, it’s important to keep the following in mind to ensure compliance:

1. Organizations should review and update their information security program. Document processes for identifying and mitigating cybersecurity risk, including how it assesses third-party risk. They should also examine reporting and governance processes, including cybersecurity incident response plans, to ensure they can promptly determine whether a cybersecurity incident, or a series of cybersecurity incidents, is material and requires reporting under the new rule.
2. Board members must understand the significance of active participation in supervising the organization’s cybersecurity risk management. This is highlighted by the final rule. Board members should be kept informed about the organization’s cybersecurity hazards and any incidents that occur. They must consider how these factors are incorporated into the organization’s business strategy and financial planning.
3. Management must understand the cybersecurity risks of the organization and the strategies implemented to control those risks. They must collaborate with the organization’s cybersecurity team to guarantee the efficiency of the cyber risk management program and promptly disclose any major cybersecurity risks and incidents.
4. The cybersecurity incident response team should establish procedures for quickly detecting and assessing cybersecurity incidents. They should also provide sufficient information to leadership and counsel so they can assess the significance of an incident and report it immediately if it’s considered significant.

Organizations that fall under the new regulation must recognize that cybersecurity risk is a crucial business risk and take appropriate measures. Per the requirement, they must reveal significant cybersecurity incidents.

To stay ahead of the competition and prevent severe financial losses and loss of investor trust, organizations must take significant steps toward managing cybersecurity risk. This responsibility falls not only on the cybersecurity teams but also on the board and management. They must be aware and engaged to guarantee that the organization's cybersecurity policies, risk management practices, and controls, along with those of third parties, are identified, managed, and monitored.