On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.

The proposed rules will be open for public comment until May 9.

Know the terminology

The proposed rules would require a public company to make a Form 8-K disclosure of a “material cybersecurity incident” within four days. A Form 8-K is a notification to shareholders of specific events. If an organization needs to file a Form 8-K but does not, the consequences could be severe, including delisting. Other types of forms would be subject to more amendments (Forms 6-K, 10-Q, 10-K) as part of the proposed rule changes. Therefore, do not gloss over the definitions, because they outline scope and reporting rules. The wording is very specific.

  • Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein (footnote 48 of the proposed changes).
  • Information Systems: information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of a registrant’s information to maintain or support the registrant’s operations (also footnote 48).

Responsible and affected parties should review the section titled “Examples of Cybersecurity Incidents That May Require Disclosure Pursuant to Proposed Item 1.05 of Form 8–K.” That will help you get a better sense of the scope. As you’ll see, the scope is in fact quite wide. Therefore, not only will publicly traded organizations be on the clock to report (as we shall discuss in a moment), but the wide scope could pose a resource challenge for some.

Four days to report

Perhaps one of the greatest pressures an organization will face is the four days to report. In the past, an organization may have been able to buy some time during the internal or external investigation phase. Instead, this pretty much puts a lid on any potential time-buying during that phase. The SEC concedes that delay in reporting may facilitate law enforcement investigations. It also says that “on the balance” timely disclosure of incidents cannot justify delayed information to investors.

So many events fall within the defined scope of “cybersecurity incidents”. Will filing a Form 8-K become a daily task? The key is “materiality”, and, sadly, there is a bit of a grey zone.

Materiality over discovery

If you are an IT or cybersecurity worker, you might be wondering whether the lawyers should be the ones reading this. We would completely forgive you. However, you will also have a role to play. The emphasis on “materiality” over “discovery” makes perfect sense. So many cyber-related attacks happen today. A security operations center could discover an “incident” multiple times a day. “Materiality” is the difference, but its meaning is not clear.

Within Section II.B.1., there are some guidelines that rely heavily on securities case law. However, no clear and bright borders are made. For example, we see phrases such as “there is a substantial likelihood that a reasonable shareholder would consider it important” or “particularly in view of the prophylactic purpose.” Another says “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors.” You will also find a whole bunch of footnotes and citations to case law.

The proposed rule changes even state that “materiality” could come at discovery, but in other instances, well after discovery. It is the “materiality” aspect that starts the clock on the four-day turnaround to report. This can get really wild if your artificial intelligence security solution makes the call one way and the human overrides it!

What makes materiality important?

These rules will impact public companies, private equity firms and investment houses if they go into effect. That’s the case even if they are not impacted by the material incident directly. Here is why: investment decisions are impacted. Will a private equity firm change its trading portfolio position based on this reporting? It very well could. Many investors base their decisions on Form 8-K disclosures.

For private equity firms, what happens if an incident impacts one of their investments? That could impact its own reporting. This can get tricky if the portfolio is wide, diverse and lacks any common criteria for business impacts. In the end, all of those things could inform the decision.

Determining materiality

Knowing what matters to your organization is both art and science. You will need some multi-stakeholder input. As we discussed in the organizational resilience series, you need to keep an eye on thresholds, impact matrices and escalation triggers included in your business continuity, disaster recovery and crisis management processes. We noted how important it is to ensure the technology owners and business owners are working together to determine criticality and recovery strategies. Well, time to leverage that work and add one more stakeholder: legal counsel (including your external counsel).

Working together, these parties can come together and make reasonable determinations on what a future “material cybersecurity incident” looks like. In doing so, the spirit of the proposed rule changes will likely be met, or at least be defendable. If you are a leader of a publicly traded company, remember, if something goes afoul, after the SEC is done with you, there may be a congressional hearing in your future. If your organization makes a conscious decision to not deem a cybersecurity incident a material one (and therefore not report it), you are going to have to be able to defend that position. Using your criticality matrices – if well-crafted with appropriate stakeholder input – may minimize the pain. And that gives you the chance to win back some of your lost investor confidence.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today