The SEC’s Cybersecurity Rule: What You Need To Know And How To Prepare
In our ever-expanding digital landscape, cybersecurity is not just an IT concern but a critical business imperative. In late September of this year, the U.S. Securities and Exchange Commission (SEC) finalized its July 2023 rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies. These rules require publicly traded companies to file detailed disclosures describing their cybersecurity strategy, governance, and risk management and report all material cybersecurity events within four days.
While many public companies have previously offered cybersecurity disclosures voluntarily, the SEC’s new regulations aim to standardize this process. The intent is to ensure investors and shareholders have consistent and comparable information about a company’s cybersecurity posture and incidents. Codifying reporting in this way underscores the growing importance of cybersecurity and the need for transparency in how companies address and manage cyber risks.
Before exploring the specifics of the cybersecurity rule, however, let’s consider the business implications of recent cybersecurity breaches and why executives should care about this new rule.
Why Executives Should Care about the SEC Cybersecurity Rule
Loss of Revenue and Increased Expenses
The financial implications of a cybersecurity breach can be substantial. For instance, in September 2023, MGM Resorts International faced a significant cyberattack that affected its reservation system and casino floors across multiple states. MGM Resorts reported a $100M revenue loss in its October 8-K, a revenue loss they project will not impact their financial condition in a material way. However, according to CSO Online, beyond the immediate costs of addressing the breach, other costs can there’s revenue lost from advertising (e.g., Sinclair Broadcast Group) and disrupted operations (e.g., Colonial Pipeline) and additional costs tied to legal fees (e.g., Capital One, T-Mobile), credit monitoring for customers (e.g., Equifax), and security remediation. Should a company need to recover their lost revenue or costs through price hikes, price- and risk-sensitive customers might switch to competitors, reducing a company’s market share.
Shareholder confidence can be significantly shaken by cybersecurity incidents, particularly with larger breaches. When a company’s systems are compromised, it raises questions about the company’s ability to safeguard critical data and maintain operational integrity. A company’s perceived mishandling of such incidents shows up in its stock price and the stock prices of its suppliers. For example, after the cyberattack on MGM, its stock price saw a decline of 1.94%. When Capital One credit card accounts were compromised in 2019, the company’s stock price immediately dropped 6% and then suffered another 14% drop in the two weeks post-attack. Such incidents can lead to a drop in share prices over a longer term, reflecting diminished investor confidence in the company’s ability to manage risks.
Cybersecurity breaches can inflict lasting damage to a company’s reputation. A company’s reputation, built over years or even decades, can be severely tarnished within hours of a cybersecurity breach. According to Reuters, beyond MGM Resorts casino visitors encountering unworkable slot machines, the 10-day long attack meant, for example, Mandalay Bay and Bellagio guests could not use their room keys and some customers’ names, social security numbers, and driver’s license numbers were exposed. Even when companies overcome the near-term financial hit, these incidents can catch companies on their heels and erode trust among customers, partners, shareholders, and other stakeholders, which can reduce revenue over time.
Regulatory & Legal Consequences
Beyond the immediate operational and financial implications, companies also face potential regulatory and legal consequences following a cybersecurity breach. The SEC’s new rule on cybersecurity disclosures, clearly a reaction to these material cybersecurity incidents, is an example of increasing regulatory scrutiny. Non-compliance or inadequate disclosures can result in penalties, legal actions, and further reputational damage.
With these consequences in mind, let’s delve into the SEC cybersecurity rule itself.
SEO Cybersecurity Rule 2023
The digital age has ushered in many business opportunities but has also extended the threat “surface area” for cybersecurity threats. As cyber incidents become more frequent and sophisticated, there’s an increasing need for transparency in how companies address these challenges.
By mandating standardized disclosures, the SEC aims to ensure shareholders can make informed decisions based on a consistent data set. This approach reflects the broader trend toward greater corporate accountability and transparency in the face of evolving cyber threats.
Cyber Rule Compliance
We see the rule compliance falling within two areas: cybersecurity disclosure and cybersecurity preparedness.
Cybersecurity Disclosures for Material Incidents
- Disclosure Requirements: Companies must promptly disclose any significant cybersecurity incidents they encounter. Disclosure ensures that shareholders are informed about potential vulnerabilities or breaches that could impact the company’s operations or reputation.
- Form 8-K (Item 1.05): Companies are required to disclose any incident deemed material. The disclosure should provide a detailed account of the incident, including its nature, scope, timing, and potential or actual material impact on the company’s operations and financials.
With the implementation of the new SEC rules, public companies will face a stringent reporting mandate. Every time a material cyber incident affects their operations, they will be obligated to file detailed reports with the SEC within four days. The term “material” is based on the severity of the incident’s impact on the company’s business, operations, and financial standing. This rapid reporting requirement underscores the need for companies to enhance their incident response and management processes substantially.
- Annual Details: Registrants must provide an annual overview of their cybersecurity risk management, strategy, and governance practices. This aims to give shareholders a clearer understanding of the company’s proactive measures and overall cybersecurity posture.
- Regulation S-K (Item 106): Companies are mandated to offer a descriptive account of their processes for assessing, identifying, and managing risks from cybersecurity threats. This includes detailing methodologies, tools, and strategies employed to counteract these threats.
- Board Oversight: The new rule emphasizes the importance of the board of directors’ active involvement in overseeing cybersecurity risks. Companies must disclose the extent and nature of the board’s involvement, showcasing their commitment at the highest levels.
- Management’s Role: It’s crucial for shareholders to understand the role of the company’s management in handling risks. As such, companies are required to detail the expertise, responsibilities, and specific actions taken by management to ensure cybersecurity readiness.
- Foreign Private Issuers: Though operating from outside the U.S., foreign private issuers are also subject to the rule when they have dealings in U.S. markets. They must adhere to similar disclosure requirements, ensuring that all public companies, regardless of origin, maintain a consistent standard of transparency and accountability in cybersecurity matters.
Essentially, the SEC wants public companies to have management invested in cybersecurity protections, rather than relegating cybersecurity decision making to their CISOs. It’s not just about identifying and addressing the technical aspects of a breach; companies must also swiftly evaluate the business and financial implications of each incident. This includes assessing costs related to business interruptions, production decreases, product launch delays, ransom payments, remediation efforts, increased cybersecurity protection expenses, revenue losses from intellectual property theft, post-incident legal fees, potential harm to employees, and the long-term repercussions on brand reputation.
The SEC has set clear timelines for companies to adhere to the new cybersecurity rules. For the Form 10-K and Form 20-F disclosures, companies should mark their calendars for the annual reports of fiscal years concluding on or post-December 15, 2023. Meanwhile, the Form 8-K and Form 6-K disclosure requirements will kick off either 90 days after the rules are published in the Federal Register or by December 18, 2023, depending on which date is later.
For smaller reporting entities, there’s a bit of leeway. They have an extended timeline of an additional 180 days before they are obligated to begin providing the Form 8-K disclosure. Furthermore, in terms of structured data mandates, all registrants should note that they are required to tag their disclosures in Inline XBRL. This tagging should be initiated one year from the date they first comply with the associated disclosure stipulation.
Strategic Business Decisions
As Toffler has discussed before, cybersecurity is no longer just an IT concern; it’s a strategic business issue. The ripple effects of a breach can influence various business decisions, from mergers and acquisitions to entering new markets. Companies need to integrate cybersecurity considerations into their broader business strategy to ensure resilience and sustainable growth.
Comprehensive Risk Assessment
Traditional cyber risk assessments often operate at a tactical level, producing results that, while invaluable to CISOs and cybersecurity teams, may not resonate with executive decision-makers. These assessments delve into the technical intricacies, such as vulnerabilities within specific information systems, but often overlook the broader drivers of cyber risk. Factors like economics, geopolitics, social attitudes, and government policies are frequently sidelined. Moreover, many assessments fail to consider how certain business decisions or lapses in areas like physical security, insider risk, and crisis management might amplify cyber risks.
As the SEC’s new rule prompts companies to disclose their cybersecurity risk assessment programs, these gaps will become increasingly apparent. Forward-thinking investors will not only question but demand a more holistic approach to cyber risk assessment. To address this demand, companies must adopt strategic risk assessment programs that evaluate enterprise-wide threats, vulnerabilities, trends, and drivers.
Toffler Associates’ Tools: Building a Resilient Cybersecurity Framework
In an era where cyber threats are evolving rapidly, Toffler Associates stays abreast of technological and legislative changes to help organizations navigate the complexities of cybersecurity. With a legacy rooted in foresight and strategy, Toffler Associates has been instrumental in guiding businesses through transformative social and legal changes. Rather than providing our clients canned scenarios, we tailor scenarios unique to their business that consider the
- Societal Coalitions and Collisions
- Bio-digital Convergence
- Infrastructure Adaptation
- Climate Conflicts
This holistic approach, combined with our deep industry knowledge and innovative strategies, ensures that organizations are prepared to turn potential challenges into opportunities. This suite of tools empowers companies to assess, identify, and manage material risks from cybersecurity threats. By focusing on a comprehensive understanding of cyber implications beyond just the IT stack, we ensure companies are resilient in the face of cyber risks.
Toffler’s Tabletop Exercises offer organizations a simulated environment to assess their preparedness against potential cyber threats. By creating real-world scenarios, these exercises allow teams to test their response strategies, identify gaps in their current protocols, and refine their approach. The hands-on nature of Tabletop Exercises ensures that all stakeholders, from IT professionals to top-level executives, understand their roles during a cyber incident. This approach strengthens an organization’s immediate response and fosters a culture of continuous learning and improvement in cybersecurity practices.
Scenario Analysis explores potential future challenges. By envisioning various cyber threat scenarios, from data breaches to advanced persistent threats, Toffler Associates helps companies anticipate potential risks and devise strategies to counteract them. This ensures that businesses are not caught off-guard but are well-prepared to navigate the ever-changing cyber landscape. Furthermore, by exploring various cybersecurity threat scenarios, companies can anticipate potential risks, strategize appropriate responses, and align their cybersecurity framework with the expectations set by the SEC rule.
By understanding the broader implications of each scenario, companies can make informed decisions, ensuring their cyber policies encompass all facets of their operations, from public relations to investor relations. Our proactive approach ensures compliance with the SEC and fortifies the organization’s defenses against unforeseen cyber threats.
Fortify Your Cybersecurity Framework With TA
In an era where cyber threats are evolving and regulatory landscapes are shifting, companies must be proactive, strategic, and comprehensive in their approach to cybersecurity. The SEC’s new rule underscores the importance of transparency, preparedness, and resilience. However, navigating these requirements and ensuring robust cybersecurity practices is no small feat.
This is where Toffler Associates steps in. With our expertise and innovative tools like Tabletop Exercises and Scenario Analysis, we empower companies to meet regulatory demands and identify, assess, and manage cybersecurity risks. As you prepare your company to handle these threats and comply with the SEC, allow TA to fortify your cybersecurity framework.