Navigating Cybersecurity: The SEC's New Disclosure Rules and the Role of Integrated Risk Management

In an era of escalating cybersecurity threats, regulatory bodies are taking a proactive stance. Yesterday, the Securities and Exchange Commission (SEC) adopted final rules mandating the disclosure of material cybersecurity incidents and ongoing disclosure of a registrant's cybersecurity risk management, strategy, and governance in their annual reports. This decision emerges as a critical development in the regulation of cyber risk and underscores the importance of Integrated Risk Management (IRM).

Understanding the SEC's New Rules

Born out of the increasing digitalization, the prevalence of remote work, the growth of digital payments, and the rise of third-party IT service providers, the SEC's new rules aim to standardize disclosures relating to cybersecurity. The Commission notes that these trends have amplified the risks and costs associated with cybersecurity incidents, necessitating enhanced, consistent, and comparable disclosures.

The newly introduced Form 8-K Item 1.05 mandates companies to disclose any material cybersecurity incident. Companies must detail the nature, scope, timing, and material impact of the incident and do so within four business days of determining an incident's materiality.

Additionally, Regulation S-K Item 106 requires companies to describe their methods for assessing and managing significant risks from cybersecurity threats. Furthermore, they must delineate the board of directors' supervision of these risks, as well as management's role in mitigating them. Foreign private issuers, too, have not been left out. They are required to furnish information on material cybersecurity incidents and make periodic disclosure, similar to that required in new Regulation S-K Item 106.

The Role of Integrated Risk Management (IRM)

In the context of these new rules, Integrated Risk Management (IRM) takes center stage. IRM provides a comprehensive, integrated approach to identifying, assessing, and mitigating organizational risks, including cybersecurity. Given the SEC's emphasis on cybersecurity risk disclosure, implementing an effective IRM program becomes critical for companies - see figure above.

IRM can assist organizations in several ways. First, it helps identify and assess cybersecurity risks across the entire organization. Integrated risk identification and assessment is crucial for compliance with Regulation S-K Item 106, which necessitates a description of processes for assessing, identifying, and managing material risks from cybersecurity threats. Second, an IRM program can provide the tools to manage these risks effectively, aligning with the SEC's requirement for registrants to describe their risk management strategies. Third, in the event of a cybersecurity incident, an IRM program can expedite assessing materiality and provide a framework for communicating this effectively to investors and the SEC.

Preparing for the Future

All registrants must comply with these rules 30 days after publication in the Federal Register. The disclosure requirements for Regulation S-K Item 106 and Form 20-F will apply to annual reports for fiscal years ending on or after December 15, 2023. As for incident disclosure requirements under Form 8-K Item 1.05 and Form 6-K, compliance should begin 90 days after the publication date or by December 18, 2023, whichever is later. Smaller reporting companies get an additional 180 days to comply.

As the deadline for compliance draws near, companies should view this as an opportunity rather than a burden. It is a chance to review and strengthen cybersecurity risk management strategies and to implement or improve an Integrated Risk Management system. By doing so, companies can ensure regulatory compliance and better protection against the rising tide of cybersecurity threats. In today's digital world, that's a winning proposition.