Email FacebookTwitterMenu burgerClose thin

Ultimate Guide to SEC’s New Cybersecurity Rules

Share

The SEC has decided that cybersecurity and related issues are now a material risk that public companies must disclose. As a result, in July of this year, the agency released a new rule on the issue. Registered companies must disclose material cybersecurity incidents as they happen. Registered companies must also make cybersecurity risk management part of their annual disclosures, treating it like a standard part of the company’s risk profile to investors. This new rule significantly expands what a publicly traded company must disclose regarding its cybersecurity practices and incidents. As a financial advisor, here’s what you need to know.

SmartAsset’s Advisor Marketing Platform offers financial advisors services like client lead generation, automated marketing and more. Learn about SmartAsset AMP today.

What Are the New Rules?

Since the early 2010s, the SEC has begun pushing cybersecurity issues as part of its mandate for market regulation. Among other matters, in 2011 the agency released a guidance on cybersecurity disclosure and best practices for publicly traded companies. In 2018 it did so again. Collectively, the SEC has treated this as part of its overall enforcement of market transparency. It feels that cybersecurity issues are a meaningful part of the risk profile of a modern company and must be disclosed as such.

In 2022 it began moving forward with formal rulemaking, a process which ultimately led the agency to issue a new rule in July 2023. This supplements, but does not replace, the existing guidance on the issue. The new rule, as the SEC’s fact sheet explains, requires “disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy and governance in annual reports.”

This requirement has two main elements: incident disclosure and annual reports.

New Incident Disclosure Rules

Companies are now required to disclose material cybersecurity incidents in form 8-K. Form 8-K is the form that the SEC requires from a publicly traded company when there has been a change to its business, practices or risk profile that could affect investors.

For example, the agency requires companies to file a form 8-K when there has been “entry into or termination of a material definitive agreement, bankruptcy, completion of acquisition or disposition of assets, results of operations and financial condition, unregistered sales of equity securities, changes in registrant’s certifying accountant, changes in control of registrant, changes in or election of directors and officers, [or] amendments to articles of incorporation or bylaws.” 

These are all events that can change the nature or risks involved with a business. As a result, the SEC requires that publicly traded companies make that information public so that investors can judge the new risk/reward profile of a business. Form 8-K is the process through which it enforces this mandate.

The new cybersecurity rules add a section to this form, item 1.05, in which companies must disclose any “cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

A publicly traded company must determine materiality without unreasonable delay. Once that’s done, it generally has four days to issue a disclosure. The SEC did not define materiality or reasonability in the scope of this rule beyond noting that the analysis for materiality and reasonability is the same as for any other securities law. It is likely that these issues will be further defined through guidance and enforcement actions.

There is no specific financial threshold for a material incident, as some breaches might be financially minor yet still significant. In addition, a series of individually minor cybersecurity incidents may collectively add up to a material breach that companies must disclose.

New Annual Reporting Rules

SmartAsset: A financial advisor trying to abide by cybersecurity rules

Besides reporting incidents as they occur, companies must also include cybersecurity management in their annual disclosures. As the SEC explains, in their annual disclosures publicly traded companies must “describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.”

Collectively, these requirements are now part of Regulation S-K.

This requirement is both forward and backward-looking. In its annual report, a company must not only describe its existing cybersecurity practices but must also disclose any threats or incidents that have occurred and could materially affect the company. However, the SEC did remove a proposed rule that would have required disclosure of the expertise and experience that board members have in cybersecurity issues, accepting the feedback it received which noted that these matters are typically handled at the operational level. 

Collectively, these rules took effect as of September 5, 2023. Reporting requirements will begin as of fiscal years starting in December 2023. 

Bottom Line

SmartAsset: A financial advisor trying to abide by cybersecurity rules

The SEC has issued new cybersecurity rules. These rules require publicly traded and registered companies to treat cybersecurity as part of their standard risk disclosures, filing a report when cybersecurity incidents happen and including cybersecurity risk profiles in their annual reports.

Tips for Growing Your Practice

Photo credit: ©iStock.com/valentinrussanov, ©iStock.com/Kosamtu, ©iStock.com/AsiaVision