Originally published by BARR Advisory.
The Securities and Exchange Commission (SEC) recently published updated guidance for public companies on how and when to disclose cybersecurity incidents.
Issued as a follow-up to new rules adopted by the commission last year, the updated guidance is intended to provide businesses with increased clarity on how to report security breaches as well as minimize confusion among investors about what constitutes a “material” incident.
Here’s everything you need to know about the updates.
July 2023: SEC Adopts New Disclosure Rules
The SEC’s new rules on the disclosure of “material” cybersecurity incidents by public companies were first adopted in July 2023. The SEC defines material incidents as those that a “reasonable shareholder” would likely consider “important in an investment decision.”
For public companies, this means considering quantitative and qualitative factors, including:
- Whether data was compromised;
- Whether the company’s policies and procedures were violated;
- Whether the company will suffer financial or reputational losses;
- Whether the company is likely to face litigation or regulatory investigations; and,
- Whether access to data changed following the incident.
Public companies that experience a material cybersecurity incident are required to disclose the nature, scope, timing, and impact (or likely impact) of the incident under Item 1.05 of Form 8-K within four business days of determining its materiality.
According to the SEC’s latest statement, organizations are able to amend the Form 8-K if additional information about the impact of an incident becomes available.
May 2024: SEC Issues Clarification
Nearly one year after these rules were adopted, Erik Gerding, director of the SEC’s division of corporation finance, issued a statement clarifying that companies should not use Item 1.05 of Form 8-K for voluntary disclosures. Item 1.05 is only meant for disclosing incidents that have been deemed material.
“If all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa,” Gerding said.
Instead, companies should use a different item of Form 8-K for immaterial incidents. The SEC says:
- If a cybersecurity incident has been deemed “material,” the organization should disclose it under Item 1.05 of Form 8-K within four business days of making that determination.
- If a cybersecurity incident has not been deemed “material,” but a company would like to report it, the organization should disclose the incident under a different item of Form 8-K—for example, Item 8.01.
- If a cybersecurity incident that was deemed immaterial is later determined to be a “material” incident, the organization should disclose it under Item 1.05 of Form 8-K within four business days of making the materiality determination.
The only exception noted by the SEC comes in cases when “immediate disclosure would pose a substantial risk to national security or public safety,” as determined by the U.S. Attorney General.
Looking Ahead: Transparency is Key
In his statement, Gerding said the updated guidance is not meant to discourage companies from voluntarily disclosing cybersecurity incidents that have been deemed immaterial or for which a materiality determination has not yet been made.
“Rather, this statement is intended to encourage the filing of such voluntary disclosures in a manner that does not result in investor confusion,” Gerding said.
“I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies,” he added, “and this statement is not intended to disincentivize companies from making those disclosures.”
In fact, organizations that want to show customers and stakeholders that they are committed to data security and privacy should prioritize transparency, especially in the wake of a breach.
In addition to reporting the incident through the proper legal channels, maintaining open lines of communication with stakeholders is crucial. Brianna Plush, a senior consultant at BARR Advisory, suggests appointing a designated liaison who can communicate with customers about the incident.
“Every data breach, regardless of its size or scope, impacts customer trust. Rebuilding that trust requires open, transparent communication about what happened, why it happened, and what steps the organization is taking to mitigate the risk of future threats,” Plush said.
Source link
