The Securities and Exchanges Commission published new rules for SEC registrants around disclosing incident details and response policies. Compliance with these new rules should be top of mind for any company – even if your org hasn’t hit the milestone of registering with the SEC, you should be prepared to be compliant when you take that step.
In order to help investors understand the state of companies they’ve invested in, the SEC wants them to better understand the ramifications of cybersecurity incidents and potential risks. Explaining this goal, SEC Chair Gary Gensler said “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
To sum it up, rather than ad-hoc optional disclosures, the SEC is now requiring disclosure of sufficient consistency and completeness. What we’ve advocated for as a best practice for years is now becoming a necessary practice. Fortunately, we’re well equipped to help you get compliant.
How to disclose incidents to SEC standards
These updated SEC rules include a new addition to Form 8-K, the standard report of any unscheduled events that could be important to investors of a company. This new addition makes any “material cybersecurity incident” now require an 8-K report, including all the “material aspects of the incident’s nature, scope, and timing” and “its material impact or reasonably likely material impact on the registrant”. This new item will typically be due only four days after the incident is determined to be material, so you’d better have a system in place.
But first off, what does the SEC mean by “material” here? The SEC defines “material” as “a substantial likelihood that a reasonable person would consider it important”, as in, important to their financial decision making around investing in the company. Drawing the specific lines of what is “important” to a “reasonable” person with a “substantial” likelihood is a matter of ongoing debate among SEC legislators, investors, and practitioners. Our advice: err on the side of caution.
Regardless of whether or not a given incident is worthy of a Form 8-K report, you should move forward with every incident as if it will be. Not only will it make it easy to file a report if it becomes necessary, but it will keep you in the habit of examining these factors and learning from them for each incident.
Determining the ultimate impact of an incident isn’t always easy. You don’t just think about the revenue lost during an outage, or specific customers that may churn as a result of an incident. There’s many other opportunity costs and downstream factors. Our Return on Investment calculator can help you estimate these costs.
Although this holistic perspective on the material impact of an incident being higher than before, proactively disclosing it in its entirety on your Form 8-K has several benefits. Investors will be more trusting of a company that seems honest and transparent. Moreover, they won’t speculate on additional secret costs – covering everything that is and isn’t impacted leaves no room for doubt.
This exercise of determining material costs can help you learn more about the incident. It’ll help you assess the causes behind the incident, and explore the opportunities to improve your system in response to it. Building an incident retrospective is the best way to achieve these goals. View these new SEC requirements not as an obstacle, but as a path to making a resilient and ever-improving service.
How to describe your cybersecurity processes to SEC standards
The new SEC rules also require you to describe your “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats” as well as “the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats”. Registrants need to disclose this in their annual Form 10-K report.
Once again, this should be seen as an opportunity to make a good investment in your practices. The “if any” in the SEC’s definition is telling: you need to disclose what you’re working with, even if it isn’t much. For the sake of investors’ confidence in your company, make sure you have robust practices to describe.
Our complete guide to incident management is a great way to get started on building a worthy process. We take you from tools to monitor system health to detect incidents, to the most effective ways to coordinate diagnosis and resolution, to learning and improving from each incident.
The SEC also requires describing how your board of directors and management oversees and assesses risks. The unfortunate reality is that many upper managers are disconnected from these processes. Or worse, they can be over-involved, sticking their noses into each and every incident and slowing progress. It’s difficult to find the sweet spot where upper management is educated on process and the latest stats without distracting practitioners to educate them. Blameless’s Incident Analytics and Incident Communications features help get everyone up to speed without anyone slowing down.
Tackle new requirements by investing in tooling
If your organization isn’t already implementing these best practices, it will take some time and effort to adopt the habit. Investing in a new tool can mitigate this cost. Blameless lets you easily build an automatic, localized, and feature-rich solution. Build something you’re proud to disclose with Blameless. Contact us to see how we’ll prepare you for SEC compliance.
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please fill out and submit a data subject access request to email@example.com.