SEC cybersecurity disclosure rules, with checklist

Cyberincident disclosure requirements

Under current SEC cybersecurity disclosure rules, a public company must report any "material" cyberincident -- meaning one that significantly affects the firm's ability to conduct business.

The organization must complete and file Form 8-K Item 1.05 within four business days of making a materiality determination, which should happen "without unreasonable delay."

The organization should disclose the following material details in the filing:

• The nature of the incident -- i.e., what happened.
• The scope of the incident -- i.e., the extent to which corporate assets, such as systems, services and data, were compromised.
• The timing of the incident and incident response -- i.e., the time to remediation and resumption of normal operations.
• Actual material impact or potential material impact, including both qualitative factors -- e.g., reputational losses and competitiveness -- and quantitative factors -- e.g., direct costs from operational downtime.

If relevant information about the attack is unavailable in the four-day window, the organization should note as such in their initial Form 8-K Item 1.05 filing. Once the relevant data has been obtained, the company has four business days to file an amended Form 8-K.

Attacks on third-party service providers are also subject to reporting requirements. Consider, for example, an organization discovers one of its cloud providers has suffered a cyberattack that materially affects its own business. In that case, the organization must file Form 8-K Item 1.05 using the information available to it.

Additional notes

• The organization does not need to describe technical or operational details that might compromise its incident response and remediation capabilities.
• If the U.S. attorney general determines disclosure of a cybersecurity incident would present a substantial national security or public safety risk, the organization can delay disclosure.
• The organization must submit the above information in an interactive data file.

Annual SEC cyber-reporting requirements

As mentioned, the final rules also require public companies to disclose their approaches to cyber-risk management, strategy and governance in annual reports. They must describe risk management and strategy and risk governance on Form 10-K.

For risk management and strategy, organizations must include the following:

• Processes for assessment, identification and management of material cyber-risks.
• Material impact and likely material impact of active cybersecurity threats on business strategy, business operations and financial conditions.
• Material impact and likely material impact of previous cybersecurity incidents on business strategy, business operations and financial conditions.

For risk governance, organizations must describe the following:

• Board of directors' role in overseeing cyber-risk.
• Management's role in assessing and managing cyber-risk.

Each organization should provide enough detail to enable a reasonable investor to understand the company's cybersecurity risk profile and how it might affect the business.

Reporting must be done in an interactive data file using inline eXtensible Business Reporting Language.

Requirements for foreign private issuers

The current rules require foreign private issuers (FPIs) to make comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy and governance practices.

An FPI is a foreign issuer, other than a foreign government, that has the following:

• Most of its securities held by U.S. residents.
• A majority of its executives, assets and business operations located in the U.S.

Summary of SEC cybersecurity disclosure rules

Source: Securities and Exchange Commission

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.