Updated: Jul 22, 2022
Webcheck Security is often called upon by organizations that need to comply with SEC cyber regulations, New York State Financial Cyber Regs, and many more. This article presents important new SEC financial cyber rules which may be applicable to your organization.
New rules have been proposed by the Securities Exchange Commission (SEC) whereby companies would be required to disclose significant information regarding cybersecurity incidents as well as security preparedness. Under the proposed rules, companies would specifically have to disclose: (i) material instances of cybersecurity incidents; (ii) information about the organization's security strategy, risk management, and governance; and (iii) whether any member of the board of directors possesses cybersecurity expertise.
In line with guidance published by the SEC in 2011 and 2018, many companies are currently disclosing a portion of the required information; however, the motivation behind issuance of new rules is that the SEC analysis indicates underreporting, inconsistent information in reports, and late reporting continue to be widespread issues. The SEC aims to reduce such issues. The new rules would address the needs of investors and other market participants related to timeliness, consistency, and standardization of content in reporting around cybersecurity incident response, governance, risk management, and leadership teams' cybersecurity knowledge. 
Regarding the mandatory disclosure of material cyber security incidents and ongoing disclosure of historical incidents, the SEC has proposed the addition of Item 1.05 to Form 8-K (current reports). This item will require public companies to disclose critical information elements within four business days after confirmation of material cyber security events. The SEC has expressed the desire for the rule to be "construed broadly" and that any unintentional data leakage or exposure would be included. Additionally, the SEC proposed an amendment to Forms 10-Q (quarterly reports) and 10-K (annual reports), by which public companies would be required to provide updated disclosures relating to historical material cybersecurity incidents; they would also require public companies to disclose instances in which a sequence of separate, immaterial incidents have become material as they have been aggregated.
Companies will be required to confirm materiality "as soon as reasonably practicable after discovery of the incident"; however, no penalties are specified for lack of compliance, and no language about set metrics is included, either. Safe Harbor provisions would cover the untimely filing of incidents on Form 8-K and companies would not see a loss of Form S-3 or Form F-3 eligibility for failure to comply.
The SEC stated that "materiality" is to be determined according to current SEC principles, whereby information is material if "there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered." A "cybersecurity incident" would be defined as "an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The existing SEC definition of "material" in 17 C.F.R. § 230.405 will not change.