SEC’s Final Rule for Public Companies on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Recognizing the increasingly sophisticated nature of cyber threats, the Securities and Exchange Commission (SEC) adopted a rule pertaining to cybersecurity risk management and incident disclosures for public companies. This rule is intended to provide investors with more consistent information to make decisions. While this rule pertains only to public companies registered with the SEC, it may also provide insight into the upcoming related rule for registered investment advisors and funds. This article will provide the background of this rule before summarizing Agio’s key findings.
On March 9, 2022, the SEC unveiled a proposal aimed at bolstering cybersecurity disclosures by public companies subject to their reporting requirements. The proposal focused on the timely disclosure of cybersecurity incidents and periodic disclosure of cybersecurity risk management, strategy, and governance. These critical aspects were identified as crucial components for investors to understand and assess the cybersecurity posture of businesses, allowing them to make well-informed decisions.
The SEC’s commitment to transparency and collaboration was evident during the comment period that followed the proposal’s announcement. Industry stakeholders, businesses, and investors actively participated, providing valuable feedback and insights to allow the SEC to refine the rules, ensuring they strike the right balance between safeguarding investors’ interests and maintaining business resilience.
The Final Rule
Fast forward to July 26, 2023 – an important milestone was reached when the SEC published the final rule, slated to take effect within just 30 days.
While there is much to dissect in the 186-page final rule, the central focus lies in disclosing information about cybersecurity incidents and threats. Companies have three new key disclosure requirements:
- Disclose the impact of an incident within four days of determining its materiality,
- Describe the processes for assessing, identifying, and managing material cybersecurity risks, and
- Describe management’s role in, and the board’s oversight of, managing risks posed by cybersecurity threats.
The rule also finalizes what constitutes an incident, with the SEC adopting a common definition of a cybersecurity incident as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Takeaways From The Final Amendments
While the final rule is focused on cybersecurity disclosures, we can learn from what the rule does not include as well. The rule does not require companies to adopt any specific cybersecurity protections. However, perhaps as an incentive to do so, companies do have to disclose a description of the processes they use to manage the risk of cybersecurity threats in the company’s annual report.
The four-day incident disclosure window, while much debated during the comment period, is aligned with the existing timeline for public company disclosures about other significant company events.
The rule removed many prescriptive elements from the original proposal. This allows companies to define their approach to risk management without impeding their ability to adapt specific elements of it.
Registered public companies have 30 days before the rules go into effect on Friday, August 25, 2023. Registrants will have to start to disclose information about material cybersecurity incidents and cybersecurity threats using the appropriate reporting channel on December 18, 2023. Descriptions of the registrant’s risk management and strategy, as well as descriptions of board oversight and management’s role in assessing and managing material risk from cybersecurity threats, must be disclosed with annual reports for fiscal years ending on or after December 15, 2023.
For public companies needing help with cybersecurity risk management, strategy, governance, and incident response, Agio can help. We provide services that secure public companies, and companies planning to go public. Contact us today.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.