SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule: What You Should Know
There's a lot of talk about the Securities and Exchange Commission's (SEC) "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" rule. It got a lot of publicity in November of 2023 when a ransomware gang tried to punish a victim for not paying by reporting the victim's lack of disclosure to the SEC. Here's what you need to know.
Final Rule: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
Press Release: https://www.sec.gov/news/press-release/2023-139
Fact sheet: https://www.sec.gov/files/33-11216-fact-sheet.pdf
Does it apply to me?
Are you working for a publicly traded company? If not, this doesn't apply to your company. The SEC's primary concern is protecting shareholders. If you're part of a start-up or privately held enterprise, you can stop reading now.
Are you responsible for your corporation's SEC filings or a CISO/CSO the filing people will ask for all the information needed to support the rule? If so, yes.
If you're a lower-level person responsible for hardening systems, threat detection, or responding to hacks who might have to provide information for the report, your employer should have specialists who will guide you in what you need to do/provide, mostly in terms of helping enumerate the risk management strategy for the annual report. You can read the rest of this out of curiosity.
Part 1: Disclosure of incidents
Publicly traded companies will have to file notices of cybersecurity incidents using section 1.05 of form 8-K. These are described as "any cybersecurity incident [the company] determine[s] to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact."
While there is some debate about what constitutes "material" impact, companies who have suffered the breach must report it within four (4) days of determining it constituted a material impact. This is the provision the ransomware gang unsuccessfully tried to use to punish their victim (because the rule wasn't in effect yet).
Upside: If you get hacked today, discover it in two months, it takes you 2 weeks to understand the impact of the hack, and only at the end of that do you determine the impact was "material," the four-day clock arguably starts ticking at that point, not today.
Part 2: Disclosing your risk management strategies
The second part of the rule has to do with periodically disclosing what you're doing to "assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks."
These periodic statements must be part of the corporation's annual reports and proxy statements for any fiscal year (FY) starting after December 15, 2023. So for most every company, the first report under this part would be due with their annual report and proxy statement for FY 2024, filed in 2025.
It's worth noting that this part is where GitGuardian can help. As part of a comprehensive risk management strategy, GitGuardian's tools can help you detect issues, engage remediation workflows, and integrate your processes with tools like Slack and Jira… before they become material incidents. We also partner with other great security companies who can help fill out other areas of your strategy.
Why did they adopt it?
In their introduction to the rule, the SEC notes that while a certain amount of disclosure was happening without this rule, there was no consistency to how, where, if, and when disclosure occurred and what level of detail was provided. Besides specifying time frames, the rule defines what is reportable, where it must be reported, and how it must be reported.
In short, the bulk of the rule is intended to ensure consistent, timely reporting in a predictable manner as well as annual communication with your shareholders about what you're doing to prevent and manage security incidents.
What are the penalties if I don't report a hack?
The 186-page document doesn't say. Scanning it for enforcement-related keywords turned up nothing of value. In the absence of specific enforcement actions defined in the document, it's safe to assume the existing levers the SEC has for enforcing compliance with its other rules apply here.
What should I do if I get hacked?
Short answer:
Aside from remediating and analyzing, defer to your company's experts on dealing with the SEC.
Long answer:
When the breach is discovered, the circle of potential stakeholders is now larger. The people who prepare your reports for the SEC need to be added to the loop. They will be the ones who will determine if it's "material" in the eyes of the SEC (or bring in the experts who will). Also, if you have knowledge of the hack, whatever your level, you'll probably be subject to some internal controls on your buying or selling of company stock until the matter is resolved.
Even if you're a cybersecurity expert, defer to the people with the regulatory and legal expertise and put your expertise in their service. Let them guide you as to what they need from you. Don't try to be a hero and don't let a blog writer or YouTuber tell you anything but to listen to your company's designated experts.
In summary
There is a very narrow cadre of people who need to worry about the reporting aspects of this rule and most of them are people in Legal and Investor Relations. If you're in IT or InfoSec, you may need to answer a few more questions, prepare an extra report periodically on your security processes and strategies, or help find and fill gaps in your risk management strategy to comply with the rule and keep shareholders feeling secure..
Your Legal and Finance experts will guide you on what they need. When it comes to the security section of the annual report, expect iterations. You may be the security expert, but they're the bureaucracy experts and most of this is on their shoulders.