On July 26, the U.S. Security & Exchange Commission (SEC) announced several new cybersecurity rules, taking affect mid-December 2023, that will significantly impact all U.S. organizations (and foreign entities doing business in the U.S.) that must follow SEC regulations.
Although the announcement did not generate a ton of fanfare off the normal business and cybersecurity sites, the rules will greatly increase resource requirements and actions. Some cybersecurity firms are already seeing a significant uptick in new business. Those firms that are paying attention to the new requirements can expect to see a lot of new business opportunities.
What Are the New SEC Rules?
The rule getting the most coverage is the one requiring regulated firms to report significant cyber breaches to the SEC and the public within four days. Per the SEC’s official announcement:
“The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”
The “materiality” part is important in understanding the new reporting requirement. Materiality is a generally accepted accounting standard that says an event only needs to be reported to stakeholders (i.e., customers, stockholders, regulators, etc.) if omitting it would have had an impact on a decision being made by a reader of that disclosure or of a financial statement. Here are two good summary statements on materiality:
What is or is not considered “material” can change depending on the stakeholders and event. Officially, accounting professionals (e.g., CPAs, etc.) are told there is no particular amount or percentage that makes an event material or not material. When in doubt, follow the standard of “would it matter to a reader of a financial statement”. But in practice, the SEC says the amount involved can be as little as 0.5% - 5% of total assets. It can also be lower or higher. It depends on the event.
KnowBe4 experts explain the latest SEC ruling in one minute, watch the video:
Material or Not Material, That Is The Question
And the new rule says that breaches only have to be reported within four days of determining the materiality of the breach, NOT within four days of the breach happening. That is a big difference, although many times the breach will obviously be material and be reported within four days of discovery.
Note: The UK GDPR Act requires reporting data breaches within three days and India requires reporting within six hours.
The SEC also allows slower reporting if the U.S. Attorney General determines timely reporting would be a threat to national security or public safety and notifies the SEC of such.
As a comparison, according to the ransomware fighter Coveware, the average ransomware extortion payment was $740,144 and the median payment was $190,424. This is just the payment. The average downtime is usually nine days. That is pretty expensive and I assume, would be material for most victims.
Recovery costs are almost always many times greater than the ransomware extortion payment. Taken all together (e.g., extortion payment, if paid, business interruption downtime, recovery costs, etc.), most victims of a full-blown ransomware attack would likely quickly hit materiality levels. A non-ransomware, no-encryption breach event (say, data exfiltration only, for example), however, may be determined to be far less costly and result in no significant downtime.
Either way, IT professionals should never get involved in determining materiality beyond providing cost estimates for damages and recovery. Materiality is decided on by senior management while being advised by legal and accounting professionals. But if the SEC’s minimum threshold of 0.5% is used, that means for every billion dollars a company is worth, it would take $5M in damages to begin to be considered material.
Note: Keep in mind that most organizations are subject to multiple regulators and might have to report a breach regardless of materiality.
Every regulated firm will also need a solid incident response program, documented, practiced and proven to be a quick responder. Many companies do not have formal, practiced incident response teams. That is no longer an option.
You cannot report data breaches in under four days if your incident response team is not professional, knowledgeable and practiced. I expect many companies to hire new incident response talent and/or put incident response companies on retainer.
Not knowing how good your incident response team or talent is, or hoping, simply is not an option anymore.
Item 106: More Board of Director Involvement in Cybersecurity
The other new SEC cybersecurity rule that will have an even greater impact because it affects every regulated company, not just breached companies, is Item 106. The SEC describes the new requirement:
“New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
With this rule, the SEC is saying three important things. A company, including the board of directors (BoD) and senior management, must describe:
- Their cybersecurity program
- How the BoD is overseeing cybersecurity risks
- How management is accessing and managing material cybersecurity risks.
This rule is HUGE! Any BoD that was sitting on the fence trying to figure out what their role was in cybersecurity defense now has their answer. They are directly and specifically personally involved.
Many BoDs relied upon senior management, who relied upon their IT or IT security teams to handle and attest. That is still true, but now BoDs and senior management have to personally attest they are directly involved in locating and managing cybersecurity risks…and they are at great legal peril if they are not.
Oh, and they have until December 15, 2023 to get that understanding and expertise, and legally document it. This is going to be a difficult deadline for many firms, and we can expect any cybersecurity firms offering assistance to BoDs and senior management to see a big increase in business and revenue from here on out.
These new cybersecurity rules from the SEC are a big shake up for SEC-regulated firms. If they did not already have regulations asking for quick breach reporting and senior ownership of cybersecurity risk, they do now.
For additional advice from KnowBe4 on these new rulings, see the following:
- My recent "New SEC Rules on Cybersecurity Risk Management" podcast episode with Cybercrime Magazine
- KnowBe4’s Guidance on the SEC New Rule Requiring Firms to Disclose Cybersecurity Breaches PDF Magazine
