SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure
Cyberattacks can have a material impact on the value of publicly traded companies and hurt investor returns. Now these organizations also must comply with a new Securities and Exchange Commission (SEC) rule to improve reporting consistency around cybersecurity.
The process started in 2022 when the SEC proposed new rules and amendments to standardize disclosures around cybersecurity risk management practices, as well as strategy, governance, and material incidents. These changes affect public companies that are subject to the Securities Exchange Act of 1934 reporting requirements. The rules were finalized and became effective on Aug. 29, 2023. Now public companies must comply with the rules, beginning with their annual reports for fiscal years ending on or after Dec. 15, 2023.
SEC Final Rules on Cybersecurity Reporting
The SEC-adopted rules require most public companies to disclose material cybersecurity incidents they experience. In addition, they must also disclose, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers, which are foreign companies wishing to raise capital or establish a trading presence for their securities, to make comparable disclosures.
The rules fall into two main categories:
1. Annual disclosure of cybersecurity risk management, strategy, and governance: Public companies must disclose information about their cybersecurity risk management, strategy, and governance in their annual reports on Form 10-K.
This information must include:
- The company's cybersecurity risk management policies and procedures
- The role of the board of directors in overseeing cybersecurity risks
- Management's role in assessing and managing material risks from cybersecurity threats
- The company's cybersecurity strategy
2. Disclosure of material cybersecurity incidents: Public companies must disclose material cybersecurity incidents on the new Item 1.05 of Form 8-K, within four business days of determining that the incident is “material.”
The disclosure must include information about the nature, scope, and timing of the incident, as well as the material impact — or reasonably likely material impact — on the company. Organizations may delay disclosure if the US attorney general determines such disclosure would pose a substantial risk to national security or public safety. Registrants must also amend their disclosure with additional details that may not have been available or determined at the time of the initial filing.
More disclosure requirements
The SEC rules also require public companies to disclose cybersecurity information in Inline XBRL (eXtensible Business Reporting Language). This structured data language makes it easier for financial analysts and investors to analyze and compare company cybersecurity disclosures. Inline XBRL is both human- and machine-readable.
A core component of the SEC’s mission is to protect investors while maintaining fair, orderly, and efficient markets. These new disclosure rules further help investors to make informed investment decisions, by providing them with greater detail about the cybersecurity risks that public companies face, and divulging how the companies are managing those risks. The rules also incentivize public companies to invest in cybersecurity and to improve their cybersecurity posture.
Public companies should act immediately to ensure compliance with the new rules. Being proactive and transparent can also build investor confidence that the organization is taking the right steps to address cybersecurity risk, strategy, and governance issues.
How BlackBerry Can Help
BlackBerry offers the full breadth of services and solutions needed to help your organization comply with SEC cybersecurity mandates. According to a recent Forrester Total Economic Impact Study, the CylanceGUARD® MDR (managed detection and response) service from BlackBerry boosts ROI by 293%, and it reduces the need for internal security operations by 90%.
BlackBerry customers also made CylanceENDPOINT™ a 2023 Customers' Choice for endpoint protection platforms (EPP) via Gartner® Peer Insights™, with large enterprise and midsize enterprise customers from around the world recommending the BlackBerry® AI-based security platform. BlackBerry can help you prevent material breaches, and in turn, help you avoid unfavorable public disclosures. It does this by providing robust cybersecurity program management to improve your cyber resilience.
Partnering with BlackBerry signals to investors and capital markets that your organization prioritizes trust: the trust investors place in you to make decisions that help protect their investments, and the trust your partners, customers, and consumers put in you to protect valuable company resources, intellectual property, and data (including regulated financial and health data) through sound cybersecurity risk management, strategy, and governance programs.
