The U.S. Securities and Exchange Commission (SEC) adopted a new rule that requires public companies to disclose material cybersecurity incidents in a timely and comprehensive manner and to make other cyber-related disclosures in annual filings (the Cyber Disclosure Rule). The rule, which fully took effect December 2023, aims to enhance investor protection and market integrity by promoting greater transparency and accountability in the face of cyber threats.
While operational technology (OT) and information technology (IT) networks have increasingly converged to meet modernization demands, distinct cybersecurity risks persist for each environment. IT environments grapple with the possibility of losing valuable data, intellectual property, and network services. In contrast, OT environments operate with different systems and network traffic, and adversary attacks on OT could potentially cripple critical infrastructure, leading to serious harm to persons and the environment. OT incidents have a high probability of being considered material and need to be disclosed. These are the types of risks animating the Cyber Disclosure Rule.
During a cyber incident, both IT and OT environments face the risk of operational downtime, revenue loss, and reputational damage, all at significant cost. Without comprehensive OT monitoring in place prior to an incident, companies won’t have the data necessary to fulfill the disclosure requirements or properly fill out the 8K or 10K filings. Customers using the Dragos Platform can be assured of data integrity and availability, enabling them to navigate security concerns while ensuring compliance with regulatory requirements.
Against the backdrop of the SEC’s disclosure regime, companies must navigate security concerns while ensuring compliance with regulatory requirements. In a recent on-demand webinar, experts from Dragos and Pillsbury delve into the unique challenges that chief information security officers (CISOs), chief risk officers, and cybersecurity executives encounter as they strive to safeguard critical networks and assets from cyber attacks while simultaneously preparing to meet the newly imposed SEC disclosure obligations.
The new SEC requirement covers several aspects of cybersecurity disclosure, including:
- Material Cybersecurity Incidents: Companies must disclose in a public SEC filing any cyber incident that they conclude is “material” within four business days of making that determination. The disclosure must include material aspects of the nature, scope, and timing of the incident, as well as its impact or reasonably likely impact on the company’s financial condition and operations.
- Risk Management and Strategy: Companies must disclose in their annual Form 10-K the processes used, if any, to assess, identify, and manage material cybersecurity risks, and whether any risks have or are reasonably likely to have materially affected their strategy, operations, or financial condition.
- Corporate Governance: Companies must disclose in their Form 10-K information about the board and management’s oversight of cyber risk, such as the responsible board committees, the management positions involved, and the processes to elevate cyber risks to the board and management.
- Disclosure Controls and Procedures: As a result of the Cyber Disclosure Rule, companies must ensure that they have adequate disclosure controls and procedures to record, process, summarize, and report cybersecurity information within the time periods specified by the SEC’s rules and forms. The SEC will assess whether, how, and when information about cyber incidents and risks flowed up the corporate ladder to enable executives to make disclosure determinations.
Critically, the Cyber Disclosure Rule requires companies to disclose a series of related unauthorized occurrences if they are material in the aggregate, even if each occurrence by itself is immaterial. The Cyber Disclosure Rule also requires companies to disclose if they will be materially impacted by a cyber incident suffered by a third party (even if that third party independently discloses the incident).
The new Cyber Disclosure Rule reflects the SEC’s decision to make a top priority to protect investors from cyber risks and companies that are not transparent with the market regarding their security. The finalization of the Cyber Disclosure Rule confirms that we are in a period of heightened cyber enforcement by the SEC.
Considering that, public companies that operate in critical infrastructure sectors or rely heavily on IT and/or OT need to review and update their existing policies, procedures, controls, and practices. Companies will also need to collaborate across the enterprise, involving various functions and stakeholders, such as security, legal, compliance, audit, finance, risk, and communications. Organizations that can demonstrate effective cybersecurity disclosure and governance will not only likely minimize regulatory scrutiny and liability, but also enhance their reputation and trust with investors, customers, and partners.
Watch the On-Demand Webinar
Ready to put your insights into action?
Take the next steps and contact our team today.