By Deepa Seshadri and David George
The Security and Exchange Commission (SEC) adopted new rules on cybersecurity disclosures on 26 July 2023 which will require registrants to disclose any material cybersecurity incidents they experience as well as disclose material information about cybersecurity risk management, strategy, and governance on an annual basis. This is a timely step from the SEC to make investors aware of the security posture of an organisation.
On cybersecurity, the SEC had issued interpretive guidance in 2011 and 2018 and had proposed a rule in March 2022. The new rule has some changes from the proposed rule.
Requirements of the final rule include:
* Material cybersecurity incidents (on own, used, or third-party resources) which would need to be disclosed on Form 8-K within four business days of their being deemed material. Under Form 8-K, item 1.05 a registrant must disclose material aspects of the nature, scope and timing of the incident and material impact or likely material impact including financial condition and result of operations. Any technical information that could impact incident response and remediation is not required to be disclosed.
* Annual disclosures in Form 10-K pertaining to (1) cybersecurity risk management and strategy, (2) “management’s role in assessing and managing material risks from cybersecurity threats,” and (3) “the board of directors’ oversight of cybersecurity risks.”
* The presentation of disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).
All types of periodic SEC filers including domestic registrants, foreign private issuers (FPI’s), smaller reporting companies and emerging growth companies are impacted by the final rule. A registrant may delay filing the Form 8-K if the U.S. Attorney General “determines immediate disclosure would pose a substantial risk to national security or public safety.”
Assessing the materiality of the incident:
When assessing the materiality of an incident, a registrant must consider both qualitative and quantitative factors. It includes the probability of adverse outcomes, significance of loss, and nature of harm to individuals, customers, vendors, and the registrant’s reputation. The possibility of litigation and regulatory scrutiny also would impact materiality. SEC notes in the final rule that information is material (quoting some cases from the US supreme court) if:
* There is a substantial likelihood that a reasonable shareholder would consider it ‘important in making an investment decision’ or
* Disclosure of the information would have been viewed by the reasonable investor as having ‘significantly altered the ‘total mix’ of information made available’. Therefore, a lack of significant quantifiable harm does not necessarily mean that an incident is not material.
Annual disclosure requirements:
With respect to the annual disclosures, the final rule adds Item 106, “Cybersecurity,” to Regulation S-K. Disclosure required by Item 106 is to be provided in Part I of Form 10-K in Item 1C, “Cybersecurity.”
Risk Management and Strategy: Item 106(b)(1) requires a comprehensive disclosure of processes if any for assessing, identifying, and managing risks from cybersecurity threats. This includes disclosure of how cybersecurity processes have been integrated into organisations’ overall risk management systems; whether the registrant has engaged assessors, consultants, or auditors with these processes; whether the registrant have processes to oversee and identify material risks from cybersecurity threats associated with use of any third-party service providers.
Governance: Item 106(c) (1) and Item 106 (c) (2) require the registrant to provide specific disclosures about oversight of cybersecurity risk by its board of directors and how senior leadership assesses and responds to material risks from cybersecurity threats, respectively. From oversight of the board, the registrant needs to include a description of the board of director’s role in oversight of cybersecurity including the role of any committee or sub-committees. From a management perspective, the registrant must call out which management positions/committees are responsible for assessing and managing such risks and their relevant expertise; the process by which these persons or committees monitor cybersecurity risks; whether and how management reports cybersecurity risks to board of directors /committee/subcommittee of the board of directors.
The final rule is effective from 30 days after its publication in the federal register. Form 8-K item 105 should be disclosed by all registrants by 90 days after the date of publication in the Federal Register or December 18, 2023. For smaller companies, it is later than 270 days from the effective date of the rule or 15 June 2024. Regulation S-K item 106 will be required beginning with annual reports for fiscal years ending on or after December 15, 2023.
To comply with these requirements, organisations could devise a cyber risk management process with clearly defined roles and responsibilities between the board of directors and executive leadership. They also need to document and establish a process of reporting cyber posture to business leaders, have a policy to identify crown jewels and determine materiality, mechanisms to report material incidents in four business days including that from third parties, and clarity in terms of what needs to be disclosed keeping in mind the confidentiality of such information. Finally, registrants could perform a dipstick diagnostic assessment to test preparedness.
Authors are Deepa Seshadri, Partner, Deloitte India and David George, Director, Deloitte India.
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.