Brand New SEC Cybersecurity Requirements

Our experts break down the new cybersecurity rules from the SEC that are impacting publicly traded companies.

If you’re a publicly traded company, you’re required to report cybersecurity events that impact the bottom line to your investors. You’re also required to disclose to investors whether cybersecurity expertise exists on your board and the state of cybersecurity at the company. And you need to do this every year. In the event of a cybersecurity incident you’re expected to report it to investors within just four days.

These are the new requirements approved by the U.S. Securities and Exchange Commission (SEC) on July 26, 2023. The rule will become effective 30 days after its publication in the Federal Register. Compliance is expected for most companies by the end of 2023 and by summer 2024 for smaller entities. Subscribe to our ACT Digest for more updates as they’re released.

New Requirements

We summarize the new requirements as follows:

• Routine and structured disclosure of cyber risk to investors

• Disclosure of material cyber incidents to investors

• Disclosure of cybersecurity expertise of the board room

• Determination of materiality

• Categorization of losses

• Cybersecurity expense return on investment

• Integration of cyber risk into enterprise risk

• Inline XBRL formatting

The new requirements are meant to keep investors apprised of the cybersecurity risks taken by public companies. That includes both your current state of cybersecurity as well as any ongoing or future cybersecurity incidents that will need to be evaluated for materiality and then reported within a four day period. Technology will help keep this process flowing smoothly and rapidly with a requirement for inline XBRL formatting to enable automated monitoring of reported content as well (more on this later).

On page 12 of the final rule  the SEC summarizes the new requirements with the following table:

What constitutes “materiality?”

In general, an event is considered material if it has a significant impact on the financial position, operations, or relationship with customers of a company. Companies are expected to work with their board and investors to establish a definition or the conditions of materiality.

How do we come up with an internal definition of materiality?

Think about it from an investor's perspective. What would they want to know in order to feel comfortable leaving their money with you to grow? You or someone you trust is doing that every day with your retirement money. The folks investing on your behalf want to know if there have been any events that may impact the value of their investment. If the board of the companies are reporting lax cybersecurity practices, the investor may choose to invest elsewhere. If the company had a factory, wouldn’t you want to know if a whole storage depot of their product was destroyed by flooding? If that did happen, you might want to also know what the risk of flood risk is for your other investments. You could go to each company every quarter and ask “How at risk are you of flooding and what are you doing to mitigate that risk?” and then repeat that process for the many other risks that could lower the value of your investment. In the same way, your investors want to know how prepared you are to foresee and mitigate cybersecurity risk events like data breaches, ransomware, and data center outages resulting from cyber attacks. Whatever happens in between, if the value of your investment is at risk you want to know and by how much.

There is no official calculation for materiality but there are tendencies such as [1]:

• 5% of pre-tax income

• 0.5% of total assets

• 1% of equity

• 1% of total revenue

• 2% to 5% of gross profit (if GP < $20,000)

• 1% to 2% of gross profit (if GP > $20,000 and < $1 mil)

• 0.5% to 1% of gross profit, (if GP > $1,000,000 and < $100 mil)

• 0.5% of gross profit (if GP > $100 mil)

• 1.84 times (the greater of assets or revenues)^⅔

• Weighted combinations of the above.

[1] - From McKee, T.E. & Eilifsen, Aasmund. (2000). Current Materiality Guidance for Auditors. The CPA Journal. 70. 54-57.

“Don’t they already have to report data breaches?”

Until now companies were not exactly required to tell you about cybersecurity incidents that impacted the value of your investment or circumstances that put it at risk. Some companies volunteered that info in the “risk factors” section of their investor reports but even among them the format and consistency of reporting was uninformative at best and oftentimes confusing or obscured. 

Companies that used hacked software MOVEit included pension funds, universities, government agencies, airlines, and news media. As an investor you’d have had a hard time seeing how many of your investments were at companies using that same hacked software.

“Does this mean the board needs to have a cybersecurity person?”

No, that was in the original proposal but it was removed from the final ruling. Instead, companies are required to report if they have cybersecurity talent on the board, leaving it up to investors to decide if the presence or absence should influence the choice to invest in that company.

“What is inline XBRL?”

Inline XBRL is a particular format used when writing a document that makes it easy for humans and computers to read. Kind of like how we use hashtags to tag different information in our social media posts. This enables automated processing of financial report contents for investors and the SEC in order to do things like spot inconsistencies or signs of malicious intent such as fraud. It also enables more interactive and informative navigation of documents by including inter-document links and basically tooltip popups.

More information is available in the SEC XBRL Guidance.

“How long do we have to comply?”

Most companies are expected to deliver compliant routine reports by the end of 2023 while smaller companies have until summer 2024, with the high level timeline looking like this:

• Vote for approval: July 26 2023

• Rules effective: 30 days after the Federal Register publishes.

• Reporting required: Beginning with annual reports for fiscal years ending on or after December 15, 2023.

• Incident disclosures required:

• Most orgs: 90 days after the date of publication in the Federal Register or December 18, 2023.

• Small orgs: 270 days from the Federal Register publication or June 15, 2024.

• Inline XBRL formatting required: One year after initial compliance with the respective disclosure requirement.

For more information:

• Fact Sheet Public Company Cybersecurity Disclosures

• Final rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

“Cybersecurity is complex, how can we possibly communicate that to board members and investors with varying tech savvy?”

Money talks. Use the same dollars and percentages you’re using to report everything else to communicate cybersecurity risk. You can use quantitative values and estimates to illustrate your state of cybersecurity costs and benefits to answer the key questions:

• How much money are we set to lose right now given our current state of cybersecurity? How wide of a range on that estimate?

• What could we do to narrow that range and push it to lower dollar amounts?

• How much would those security efforts cost us?

• How much money do we expect to make by taking these risks and when?

• What is our materiality threshold?

This process is known as cyber risk quantification, or CRQ. If you’re new to CRQ, check out our free spreadsheet based tool.  This tool is a good introduction but is limited in its capability. That’s why we’ve built Derive, an award winning product that helps cybersecurity teams and committees in charge of cybersecurity reporting create and complete quantitative cyber risk assessments even faster. Backed by the expertise at Hive Systems, we’ll make sure you and your team transition to CRQ seamlessly and sooner.

Find out more about Derive and get a demo here

Follow us - stay ahead.

Read more of the ACT