On July 26, 2023 the SEC finalized the rules surrounding Cybersecurity Risk Management and Governance. They are as follows:
Annual report on company cybersecurity risk management strategy and governance (Item 106)
Report any material cyber incident within 4-days of determining the incident to be material, or likely material (Item 1.05, Forms 8-K)
Caveat: National, or Public Safety risks, at the discretion of the Attorney General
Reported under Item 1.05 of Form 8K
Describe material impact, including the nature, scope, and timing
Adding Regulation S-K Item 106 to describe processes used to assess, identify, and manage material risks and material effects from threats and previous cyber incidents
Additionally, describe the Board's oversight of risks and managements role and expertise in assessing and managing risks
Refer to this SEC Article on assessing materiality
Impacting: Reputation, odds of Litigation, Regulatory, Third-party relationship
While Cybersecurity expertise is not required at the Board level, we see the rules to include how the Board provides governance for such risks and Executive management's expertise in assessing and governing risks. While this may sound good to some, historically the vast majority struggle with cyber risk, and akin to the Biden administration's Cybersecurity policies, a safety net does not fix the problem. The burden stays with Executive Management, "the more things change the more they stay the same".
Overall, the Incident Response plan will need to align with a) discovering the incident and then b) when to discover material impact, which starts the 4-day clock. Caveat, communications during an incident response should already be vetted by legal counsel. The Form 8K disclosures are due effect Dec. 18, 2023, which is 90 days after the rule was published. Note: Smaller companies are due 270-days after publication, or by June 15, 2024. Form 10K disclosures are due with annual reports [fiscal years] ending on/after Dec. 15, 2023.
Comments