Cyberattack Victims Must Abide New SEC Disclosures: Explained

Publicly owned companies must comply with a new set of regulatory deadlines during the next week that will require swift disclosure of malicious cyberattacks on their networks and the processes in place to prevent them from happening again.

Entities subject to Securities and Exchange Commission authority will be required to file reports about data breaches within a shortened time frame, and must include additional specifics about the scope of any incidents, according to new SEC regulations effective Dec. 18. In-depth descriptions of a company’s cybersecurity governance will also be required in annual disclosures starting Dec. 15.

The updated obligations take effect as the SEC prosecutes a case against software developer SolarWinds Corp. that could indicate how aggressively the agency will enforce alleged disclosure violations. The new guidelines also come while government officials attempt to streamline more than 50 overlapping incident reporting requirements across federal agencies.

The agency began updating the regulations in October 2021 before requesting public feedback on the proposed rules in March 2022.

“Firms have to make real-time decisions when responding to cyber events and around related disclosures, especially when there are ongoing attacks, or even ongoing internal and criminal investigations,” SEC Enforcement Director Gurbir S. Grewal said during a June speech in which he emphasized that those decisions affect customers whose data’s been compromised. “Those decisions may also be material to investors in publicly-traded companies.”

1. How are breaches disclosed?

Updated reporting requirements are intended to inform investors about a company’s cybersecurity posture “while steering clear of security sensitive details” that could be leveraged by threat actors, according to the final rule published Aug. 4.

Within four days of determining that a cybersecurity incident affected business, companies must report the hack’s impact using a Form 8-K. The disclosure requires information about the incident’s timing and scope, including when a breach was discovered and whether any data was stolen or encrypted.

Regulators didn’t provide a cybersecurity-specific definition for materiality, but said analysis of the phrase is consistent across securities law. Incidents should be considered material if they could influence the investment decisions of “a reasonable shareholder,” the rule said, pointing to impacts on finances and brand perception as examples of materiality.

Investors should also be made aware of how a victim attempted to mitigate an incident and whether the company will face any financial or operational fallout from the hack, according to the rule. Companies are required to file an amended Form 8-K within four days of determining any new information about the incident.

Despite agency assurances these disclosures won’t threaten internal security, organizations including the Software Alliance and American Gas Association expressed concern in public comments that the details could provide a road map to attacks for threat actors. The AGA stressedthe importance of information and data sharing after Colonial Pipeline Co. was compromised in 2021 by a ransomware group, leading to fuel shortages along the east coast of the US.

Regulators accounted for industry concerns by removing requests for technical details about an incident and instead focusing on its material impact, the final rules said.

The deadline to begin complying with the reporting requirement is Dec. 18 for most companies subject to SEC regulation. Smaller companies—defined as earning less than $100 million in annual revenue or having less than $250 million in public stock— have until June 15, 2024 to begin the disclosures.

2. What’s required for governance?

The SEC’s Division of Corporation Finance found that most companies haven’t been disclosing information about their cybersecurity oversight when reporting an incident, the rule said. The agency argued more oversight specifics “will reduce information asymmetry” in the market and better equip investors with crucial knowledge about a business’s level of preparedness to address cyber risks that might affect its strategy or financial outlook.

New disclosures—which companies must make in a Form 10-K—seek to achieve that by describing the processes for assessing and managing material cybersecurity risks. Risk assessment disclosures could include information about audits on security systems or threats posed by third-party vendors, according to the rule.

Oversight disclosures should name any board of director committees overseeing cybersecurity and explain how members stay abreast of threats, according to the rule. The SEC is also asking for disclosures in the Form 10-K about which company roles are in charge of monitoring cybersecurity and how incidents are escalated to the board.

Domestic companies whose fiscal years end on or after Dec. 15 must disclose the new information in annual reports. Regulated companies incorporated outside of the US must report similar details on item 16K of Form 20–F.

3. Are there exceptions?

The rule allows for delayed disclosures of a material cyber incident in cases that could threaten national security or public safety. Companies seeking a 30-day initial delay must first contact the FBI with information about the incident and explain the consequences of filing a public disclosure, according to guidance issued Dec. 12 by the Department of Justice.

Delays may be granted if publicly acknowledging a hack could create more incidents or undermine a company’s attempts to mitigate its impact, the guidance said. Justifications for a delay also include the breach of a system containing sensitive US government data.

The FBI must refer the request to the attorney general alongside its analysis of whether disclosure poses risks to national security or public safety. The attorney general has the same four-day deadline to grant or deny a delay request. If the attorney general grants the initial delay, companies can request more time if the risks continue, up to a maximum of 90 days after the original delay. Requests for a delay beyond that period require a case-by-case exemption from the SEC, the guidance said.

Asset-backed securities issuers are exempt from the rule because the SEC concluded those entities don’t typically use the online information systems governed by the regulation.

4. How are violations enforced?

The SEC has “zero tolerance for gamesmanship” when it comes to cybersecurity disclosures, Grewal, the agency’s enforcement director, said during a June speech when he warned companies against prioritizing reputation over transparency by intentionally minimizing incidents or not reporting them.

The agency could hand down monetary penalties to any regulated entity that violates either new disclosure mandate. Insurance company First American Financial Corp. paid the agency nearly $500,000 in June 2021 after allegedly waiting months to disclose a security breach despite knowing about it.

Other consequences for noncompliance can include cease-and-desist orders or securities registration revocation.

The SEC recently demonstrated its willingness to hold security executives personally responsible for improper disclosures when it brought charges against SolarWinds’ chief security executive Tim Brown for his handling of a historic cyberattack. Brown is accused of intentionally failing to disclose cybersecurity vulnerabilities in Form 8-K filings ahead of and after Russian cybercriminals used their access to SolarWinds to infiltrate dozens of private and government networks.The company faces civil penalties up to as much as $100,000. The agency has also requested a court order blocking Brown from employment as an executive in a publicly owned company.