Decoding the New SEC Cybersecurity Rules: Material Incident Reporting and Risk Management Disclosures

The Securities and Exchange Commission (SEC) recently adopted new rules to enhance and standardize public companies’ cybersecurity incident reporting and risk management disclosures. These rules, effective in December, represent a significant shift in the regulatory landscape. Companies must act now to ensure they are prepared, and Integrated Risk Management (IRM) can play a crucial role in this process.

IRM is a set of practices designed to help organizations understand and manage the full scope of risks (strategic, operational, financial, digital, etc.) facing their enterprise, enabling them to make more informed and timely strategic decisions. IRM ties together Enterprise Risk Management (ERM), Operational Risk Management (ORM), IT Risk Management (ITRM), and Governance, Risk, and Compliance (GRC) to provide complete collaboration, context, and communication among key business leaders, including the Chief Legal Officer (CLO), Chief Risk Officer (CRO), Chief Financial Officer (CFO) and Chief Information Security Officer (CISO). This integrated approach is particularly important in meeting the expedited incident reporting mandated by new SEC rules. For more information on IRM, refer to this article by AuditBoard.

Here are the two primary areas of disclosure directly from the new rules where IRM can play a crucial role:

1.     Material Cybersecurity Incidents: The SEC defines "material cybersecurity incidents" as unauthorized occurrences, or a series of related unauthorized occurrences, that jeopardize the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. Determining materiality for cybersecurity requires an integrated view of risk - tying cybersecurity to critical areas of the business operations. Without this view, the impact on a reasonable investor cannot be determined. This is where an IRM program can play a crucial role. By integrating ERM, ORM, ITRM, and GRC, an IRM program can provide a comprehensive view of all risks, enabling companies to quickly identify and disclose material cybersecurity incidents within the four-business day requirement. These disclosures will be filed with the SEC on Form 8-K.

2.     Cybersecurity Risk Management and Governance: The new rules require companies to disclose their cybersecurity risk management and governance processes. This includes how the board of directors oversees the management of cybersecurity risks and the company's cybersecurity strategy. An IRM program, by integrating ERM, ORM, ITRM, and GRC, can help companies to effectively manage these risks and provide the necessary transparency in their disclosures. It can ensure that all risk management and governance aspects are coordinated and communicated effectively, enabling companies to meet the new disclosure requirements. These disclosures will be included in the company's annual report on Form 10-K or, for foreign private issuers, Form 20-F.

Implementing an IRM program can significantly impact a company’s competitiveness and attractiveness in the mind of a reasonable investor. A robust IRM program can demonstrate a company's commitment to managing cybersecurity risks, enhancing its reputation, and increasing investor confidence. Furthermore, companies that effectively manage their cybersecurity risks can differentiate themselves from their competitors, potentially leading to greater interest from investors and higher market liquidity.

The new SEC rules represent a significant shift in the regulatory landscape for cybersecurity. Companies must act now to ensure they are prepared. Implementing an IRM program and technology can play a crucial role in helping companies navigate these new rules and ensure compliance. By linking cybersecurity risk to information technology, operational, and enterprise risk, companies can make more informed decisions about their cybersecurity strategy and governance, benefiting their investors and the broader market. For more details, refer to the complete set of rules published by the SEC here.