When and how to report a breach to the SEC

New cybersecurity reporting requirements for publicly traded companies are expected to be enacted in the spring of 2023, with proposed rules from the US Securities and Exchange Commission (SEC) looking for more information and transparency from those hit with security incidents.

Under the proposal, the SEC would implement three new rules that public companies will need to follow:

• A requirement that companies report any cybersecurity event within four business days of determining that it was a material incident.
• Mandatory disclosures regarding the board of directors’ oversight of cybersecurity risk as well as details about the cybersecurity expertise and experience of individual board members.
• Mandatory disclosures about management’s role in addressing cybersecurity risk.

The SEC action has — or should have — security leaders, their C-suite colleagues, and board directors prepping for the new steps they’ll have to follow. And it should have executives at private companies and other entities taking note, as the SEC action could have a trickle-down impact.

“The fact that we’re having a conversation about this underscores the importance of cybersecurity. It is vital to how companies operate, it is vital to the US economy, not to mention the world economy. So, all of us raising our game is absolutely critical,” says Chuck Seets, principal of Americas Assurance at professional services firm Ernst & Young.

The SEC’s plan, according to commission officials, security leaders, and board advisors, is intended to make investors better informed about incidents that could impact corporate performance and stock prices.

SEC reporting requirements enhance risk management

In announcing the proposed rule changes in early 2022, the SEC also said the updated requirements are meant “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.”

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” SEC Chair Gary Gensler said in the announcement.

The 2022 proposal came about a decade after the SEC in 2011 first issued guidelines “regarding disclosure obligations relating to cybersecurity risks and cyber incidents” and came just four years after it released additional guidelines on the topic.

The latest round of rules reflects the growing cybersecurity risks organizations face, experts say. “The SEC wants to ensure that the investor community is properly communicated with in the event of a material cyber incident,” Seets says, noting that the growing volume of incidents, the expanding attack surface, and the rising financial impact organizations face when a cyberattack occurs all seem to have prompted the SEC action.

Morningstar Sustainalytics, an ESG research, ratings, and data firm, quantified the impact of cybersecurity incidents on stock prices in an October 2022 report. Its research showed that stocks suffered an initial decline of 2.3% four days after the incident date and bottomed out on the 60th trading day close, down 4.6%. It also found that stock prices seemed to remain affected a year later, with the returns for the “incident portfolio” studied for the report remaining down (-0.65%) a year after the cyber event while the average return of those stocks in the prior year to the incident was 8.47%. Researchers wrote that the findings signal “a significant and persisting impact from high-risk cyberattacks.”

Take steps now to report breaches

A year after being announced, the regulations are widely expected to be implemented this spring. “So the time now is less about feedback and more about giving boards and organizations time to get ready,” says Rob Clyde, executive chair of the board of directors for White Cloud Security. “Everybody is pretty much saying the same thing: if you’re a board director of a public company, you better consider it a done deal come spring. So, the wise thing to do if you’re a board director is to assume it will be enforced immediately.”

Clyde and others say corporate leaders should be taking steps now to be ready to meet the new requirements, thinking through how the company would respond to breaches, ransomware, and other cybersecurity incidents and determining whether and what they need to add or change to meet the new SEC requirements.

“There’s work to do before there’s a breach, because if you haven’t thought through all the questions that you will be asked [post-breach for the SEC], you will be in a difficult spot,” says Tony Velleca, CISO of UST, a digital transformation solutions company. “You have to think about what those reporting criteria are, what ‘material’ is and have the process down to have that decision made within the four-day timeline.”

What makes a cyber incident “material”?

Much of this SEC change revolves around what makes a material cyber incident “material” — how and who will make that call and the complexity around this term. “The word ‘material’ is incredibly important,” Seets says, stressing that the requirement to report hinges on determining if a cyber incident is deemed material and the timeline for reporting relates to when that determination is made. “The clock doesn’t start counting when the incident started or even when it was discovered, but once it was deemed to be material.”

Despite the importance of this distinction, the SEC does not provide a checklist for what specifically constitutes material; it does, however, offer some elements for making that determination. “First and foremost, SEC requires that disclosure be made through the lens of a reasonable investor — so not what the CISO or the CFO or the chief legal officer thinks is reasonable. Rather, materiality is around what a reasonable investor thinks is material,” Seets says. Seets says the SEC also reminds registrants that determining materiality is both a quantitative and qualitative exercise. “It’s not an either/or,” Seets says.

Quantitative factors can include the amount of data compromised, the number of systems down, and the criticality of downed systems, among other things, he says. Qualitative factors will be more subjective but may include whether the company’s reputation or brand had been harmed, whether ransom was paid, whether law enforcement was involved, and whether suppliers or customers were notified.

This exercise also means determining when a series of security incidents which individually may not be deemed material but in aggregate do meet the company’s definition of material, Seets says, noting “That is one of the more challenging provisions of the draft.”

Disclosures will require a corporate team effort

Experts advise corporate leaders and their boards to work together to devise guidelines on what would constitute a material incident for their company. “Disclosures by their very nature are a team sport. By that, it means it involves people from security, legal inside the company, outside legal counsel, the CFO, investor relations. The entire C-suite may be involved,” Seets says. “Security officers will have to lean into this, and they’ll have to make sure everyone is on the same page about what they think a reasonable investor would think is material.”

However, despite such advance work to define what is material, Clyde says some companies may still encounter incidents that fall into gray areas, which is tricky, as reporting what turns out to be a minor issue could be problematic and cause undue damage. “You don’t want to announce at the first sign of a breach, as blowing something out of proportion causes harm as well,” Clyde says.

CISOs typically won’t be the ones reporting incidents to the SEC. (That task, with reporting done via Form 8-K, will likely fall to someone else, such as the compliance officer). Still, security chiefs will have more work under the SEC rules, assuming they are enacted as expected.

For example, CISOs will likely also have to provide details on the incident and post-incident response, such as how much data was extracted and what was the root cause of the incident. As Clyde says: “Documenting this and documenting processes are going to be critical for a company under SEC oversight.”

CISOs and boards must work together

CISOs will also have to work with the board, their C-suite colleagues, and, of course, the disclosure committee as the company works through the security incident.

“Once you say it’s a material incident, you have to subsequently update investors on the status of the incident,” Seets says. He advises companies to drill for the new SEC requirements; drills that the CISO can help lead. “One of the most important things to do is a dress rehearsal,” he says, adding that companies could also examine how they have handled past incidents to identify and practice what they’ll need to do differently moving forward.

Experts say that may include drafting a plan that identifies who would bring information to the disclosure committee, how and who would communicate what pieces of information, what information should go to the full C-suite and the board and when.

This work comes as organizations are experiencing a growing number of incidents. In a 2022 ISACA report, 43% of respondents said their organization is experiencing more cyberattacks. On the other hand, survey respondents indicated a growing confidence in the ability of their cybersecurity teams to detect and respond, with 82% saying they’re either somewhat, very, or completely confident in their team’s ability, up from 77% the prior year.

Private entities should take note

Although only public companies that trade on US exchanges must adhere to SEC regulations, experts say private companies and other organizations should also take note of these anticipated rule changes. Privately held companies also have investors and stakeholders who will want to know — and have a vested interest in — how the organization identifies and manages cyber risk and whether it experiences a material incident.

Additionally, companies that want to go public or be acquired by a public company would want to understand and follow such best practices, too, Clyde says. Consequently, experts say the best practices recommended for public companies to meet the forthcoming SEC rules are relevant to private companies and other types of organizations, such as nonprofits.

Although the expected implementation of the new SEC requirements will add another layer of security-related work, security leaders say it may bring some positives. Velleca says the greater transparency it may yield could provide more data that could help security teams better defend and respond moving forward. And Clyde says the expected SEC action could also elevate the CISO role, particularly at companies where the security chief is not yet seen as a full-fledged member of the C-suite.