Implementing the New SEC Disclosure Rules

In my past two blogs (SEC Relies on Old Cause of Action for New Hack and New SEC Disclosure Rules Can Help Cybersecurity: Lessons from SolarWinds), I covered the impact of the new SEC (Securities and Exchange Commission) rules but not how they are implemented.

In this blog, I discuss the content of the new rules in more detail and how to implement them.

Form 10-K

The first rule we look at concerns Form 10-K. The new rule will require registrants to describe in their annual filings their processes for assessing, identifying, and managing consequential risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the organization. Although registrants were already reporting cybersecurity risks, they were doing it in a way that lumped cybersecurity risks together with general risks like market conditions or earthquakes. This made it impossible for investors to determine the true cybersecurity posture of the organization.

Section 229.106 covers disclosure requirements, mandating not what the registrant must do, but what they must disclose on Form 10-K. If the registrant’s cybersecurity program is weak, it will be punished by investors who will have access to the information disclosed in Form 10-K.

Section 229.106 is made up of four parts, two of which are important to note. Section 229.106(b)(1) requires the registrant to describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats. During the adoption proceedings for these new SEC rules, there was some debate about what a ‘process’ is. According to the proceedings record, “the shift to ‘processes’ also obviates the question of whether to require companies that do not have written policies and procedures to disclose that fact.”

Although disclosure of formal written policies and procedures may not be required on Form 10-K, the lack of such a disclosure might be frowned upon. In addition, it may complicate other disclosures in Sections 229.106 (b)(1)(i),(ii), and (iii). These disclosures include a statement about the organization’s integration of the cybersecurity risk process into its overall risk management system, a list of third parties engaged in implementing the processes, and a method to monitor third parties. Disclosing these requirements without written policies would be exceptionally difficult. Written policies and procedures may not be required, but making the required disclosures will make it evident to investors whether or not the organization has written policies and procedures.

Making disclosures concerning the impact of any cybersecurity threats or the results of any cybersecurity incidents under Section 229.106(b)(2) involves a similar approach. Disclosing the effect a threat or an incident has on the registrant’s business strategy, results of operations, or financial condition requires something written.

These disclosures do not require a lot of effort for a registrant that already has a cybersecurity framework in place. For a less mature system, the registrant will have to create a process that considers all the requirements of Section 229.106(b)(1–2).

The other part of the regulation (Section 229.106(c)) is less onerous. It requires the registrant to disclose how the board handles cybersecurity. Specifically, the board must disclose which person, board committee, or subcommittee is responsible for overseeing risks from cybersecurity threats (Section 229.106(c)(1)).

The registrant must further describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats, including the expertise of any person or committee (Section 229.106(c)(2)(i)). The registrant must disclose how the person or committee is informed of the prevention, detection, mitigation, and remediation of cybersecurity incidents, and how the person or committee informs the board. These processes can be described in job descriptions.

Form 8-K

In addition to Form 10-K, which is annual, the new rule implemented Item 1.05 on Form 8-K. Form 8-K must be filed within four days of determining that a cybersecurity incident was material. The filing needs to include a description of the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” The new requirements of 8-K should be incorporated into the registrant’s incident response plan.

The important aspect of the 8-K Item 1.05 instructions is that they need to be updated with amendments for any material information that was unavailable when the original 8-K was due.

Whenever the form is due to be filed and whatever information goes into the form, the registrant must be extremely careful that the information is accurate and not misleading. Fraud is the basis of SEC v SolarWinds. The best way to ensure the information is accurate is to establish a framework that is audited and kept up to date. This ensures both ease of compliance and the best cybersecurity.

How IT Governance USA can help you meet your SEC cybersecurity disclosure obligations

We are experts on information securitycybersecurity, and cyber incident response management, and have been helping organizations around the world implement and maintain best practices for over 20 years.

If you need help with your cybersecurity program, or with identifying and responding to a cybersecurity incident – including reporting – we have everything you need.