This December, the U.S. Securities and Exchange Commission will implement rigorous new cybersecurity reporting requirements for publicly listed companies. The rules require publicly listed companies to formally disclose any cyber incident that will have a material impact on the organization’s financial condition or operations, and mandate extensive annual disclosures regarding cybersecurity risk management, strategy and governance.
The requirements, as well as recent high-profile charges filed against software firm SolarWinds, highlight the SEC’s emerging role as a more active enforcer of corporate cyberrisk management, introducing new regulatory risks for public companies and legal risks for both organizations and their directors and officers.
Incident Disclosure Rules
Starting December 18, the SEC will require publicly listed companies to formally disclose cyber incidents within four days of establishing a material impact is likely. According to the SEC, “The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant.” This requirement extends to any material incident, whether accidental or through a deliberate attack.
Much of the conversation about the new SEC requirements has focused on the four-day window. This relatively tight timeframe has drawn some concern about feasibility. However, it is worth noting that there are two steps to establishing the applicability of the requirement, which may slightly soften its severity in practice: First, the company must determine if an incident occurred—for example, by verifying that there was data loss, exposure, disruption or outage. Other regulators have discussed what appropriate timeframes might be in terms of identifying a breach or attack, but this SEC requirement does not stipulate timing regarding detection itself—the clock starts ticking once material impact is established, and that is a second, potentially complex assessment process.
Ultimately, while the reporting requirements pose notable challenges for organizations, the end goal of regulators appears to be to further solidify accountability and governance expectations for cyberrisk management as an enterprise issue.
As SEC Chair Gary Gensler noted, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
Cyberrisk Management and Governance
While much of the attention around the SEC’s new rules has centered on the incident reporting requirements, the bigger story might be the regulator’s new annual reporting requirements regarding detailed discussions of risk management processes, board members’ cyber expertise and the board’s governance of cyberrisk. Risk professionals and their colleagues in IT, information security, legal and compliance functions will face substantial new burdens in reviewing, assessing, articulating and disclosing their organization’s exposure to and management of cybersecurity threats on an enterprise level. These disclosures will be a required component of annual 10-K (or 20-F for foreign issuers) reports for fiscal years that end on or after December 15, 2023.
According to the SEC, “The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
Implicitly, this half of the new rules means companies need to have a cyberrisk management strategy and governance processes in the first place—and that is not always the case. Despite myriad lessons about the drastic tolls of cyberrisks and already extensive regulatory requirements, and even though the SEC has not yet clearly defined its criteria, it is safe to say a significant number of organizations still lack formal cyberrisk management programs that are reasonably likely to pass muster. As a result, this may be the bigger burden arising from the new SEC requirements and may require a heavier lift for organizations that need to ensure compliance.
Having adequate cyber expertise on boards remains a key shortcoming for companies, which have increasingly come to find themselves competing for qualified directors in an extremely tight talent pool. The SEC has expressed a desire to have specific board members with cyber expertise and oversight responsibilities explicitly identified among board action details. The regulator has previously defined cybersecurity expertise for board members as: prior work in cybersecurity; certification or a degree in cybersecurity; and/or knowledge, skills or other background related to cybersecurity.
Drawing upon data from the Wall Street Journal, EY and executive search firm Spencer Stuart, a study conducted by the CAP Group and published by the Forbes Technology Council found boards severely lack the expertise to govern cyberrisk effectively, asserting the vast majority have gaps that may translate into failing to meet the SEC’s requirements. Among the Fortune 100, 51% have a director on the board with relevant cyber experience. That number goes down to just 9% when expanded to include the Fortune 200 and 500. Of companies in the Russell 3000, 90% lack even a single director with the necessary cyber expertise.
When it comes to board oversight, it is difficult to benchmark exactly how prepared companies truly are—or are not—to meet these requirements as data on boards’ cyberrisk governance capabilities varies widely. In PwC’s 2023 Annual Corporate Directors Survey, respondents indicated that board members feel more confident tackling cyber issues and reported increased attention paid to cyber issues in boardrooms, “driving a more secure corporate landscape from the top.” While half of the respondents perceived cybersecurity as an overwhelming challenge for directors, PwC noted this still represents progress as it is a decline from 59% in 2022. Overall, the survey’s findings offer some positive indicators that boards are becoming more cyber-literate and are slowly translating cyberrisk concern into more active cyber governance.
However, it is critical to note that respondents in that survey (and many others like it) assessing board performance were the board members themselves. Much of the research conducted among other stakeholders indicates board members may be overly confident and less active than they realize on true cyber governance.
Of the directors surveyed, 87% reported thinking management’s pre-read materials and presentations on cybersecurity were effective and adequate. Yet only half of respondents report receiving information on some key areas the SEC will definitely consider relevant, including incident readiness plan testing results (56%), cybersecurity program maturity assessments (53%), and third-party cybersecurity risk considerations (50%). This represents a significant area for improvement.
In practice, however, even these rates may be an overestimation of boards’ actual visibility into and governance of cyberrisk, as reporting from management may be even more severely lacking. In PwC’s 2024 Global Digital Trust Insights report, which surveyed nearly 4,000 business, technology and security executives worldwide, just 23% of respondents said they bring insights on changing cyberrisk exposure and mitigation measures to the CEO and board.
In terms of actual cyberrisk management processes and oversight thereof, according to the Digital Trust Insights report, titled The C-Suite Playbook: Putting Security at the Epicenter of Innovation, “While excitement and budgets are rising for cutting-edge security programs, progress on actually improving security is sluggish.” The report summarized some of its key findings to that effect: “Breach costs and the number of high-dollar breaches continue to increase. Although cloud attacks are the top cyber concern, about one-third of organizations have no risk management plan to address cloud service provider challenges. Only half are ‘very satisfied’ with their technology capabilities in key cybersecurity areas. More than 30% of companies don’t consistently follow what should be standard practices of cyber defense.”
PwC found a small subset—just 179 respondents—are doing better, and they are experiencing notable competitive and operational benefits as a result. “These top 5%—our stewards of digital trust—are reaping benefits that others are missing,” the firm noted. “They’re experiencing fewer breaches, and the attacks that do hit them are not as costly. Managing risk is easier because they have streamlined their security solutions. And they have positioned themselves for greater productivity and faster growth, outpacing the competition as they plunge into new technologies with confidence that they are well protected.”
The new SEC requirements may help push more organizations into this group, potentially offering significant benefits far beyond individual companies, according to many third-party experts. In a recent survey by Deloitte, 64.8% of public company executives said their organization will strengthen their cybersecurity program specifically in response to the new rules, and 54.1% said they would push their third parties to do the same.
According to the World Economic Forum, “This new requirement will be a signal to investors around the world that how a company views cyberrisk matters at the highest level. It aims to put cyber expertise on the same footing as the mastery of business strategy, financial acumen and leadership skills that have traditionally been the focus of board director recruitment. Since the subjects being reported tend to lead in terms of company focus, reporting on board expertise in cyber is likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders going forward.”
Rising Legal Risks
Real risks are driving this shift. The SEC’s disclosure rules do not inherently constitute specific requirements for a company’s cyberrisk management program itself, but the transparency that disclosure introduces may implicitly highlight governance failures and shortcomings relative to competitors and best practices. In addition to regulatory risk, this could also increase legal exposure for companies and their directors and officers.
Over the past few years, a budding class of shareholder derivative suits has specifically focused on cyber governance, material impacts of cyber incidents, and the board’s fiduciary duties regarding cyber. The new disclosures may well spur more legal threats as both shareholders and the SEC look to 10-K disclosures to pursue action over cyber failures.
“We expect the SEC to aggressively pursue investigations in the cybersecurity area,” said Fred Block, partner at law firm Morgan Lewis and former supervisory counsel in the SEC’s enforcement division. “Already in its fiscal year starting October 1, the SEC has filed its first case against a CISO at a company that suffered a high-profile intrusion. The SEC has also publicly fought for access to information relating to a cyber intrusion at a national law firm. The SEC likely would not be spending these resources if they were not prepared to continue investigating whether companies who have suffered data breaches are accurately disclosing information about these breaches.”
Indeed, with the recent headline-making charges against software firm SolarWinds, the SEC demonstrated that it is not waiting for the new requirements to begin ramping up cyber-related enforcement efforts. Impacting approximately 18,000 customers including government entities, the SolarWinds case was one of the most notable software supply chain attacks to date, with hackers gaining access to the firm’s clients’ networks via malware they were able to incorporate into SolarWinds’ Orion software. When the sprawling attack was fully disclosed, the company’s stock fell 35% in a month. The SEC charges do not pertain to the exploit itself, instead alleging the company knew about vulnerabilities in its network that facilitated the infiltration and did not implement adequate controls. Further, the regulator alleges the company filed false and misleading statements to investors about its cyberrisk posture and the extent of the attack.
Notably, the SEC sued not only the company, but its CISO, Timothy Brown, personally. The charges are not enforcement actions under the new rules—the activity at issue predates the requirements and the SEC’s allegations include not only inadequate cybersecurity provisions but also actively fraudulent misrepresentations in disclosures to investors.
There is a common thread, however, in that the SEC is paying closer attention to disclosures and specific governance activities, and is shifting toward holding executive leadership personally accountable for cybersecurity failures that had a material impact on the company’s financial and reputational status. Companies and their directors and officers should consider the charges and the new reporting requirements harbingers of a more assertive SEC squarely focused on cyberrisk management and governance.