SEC Cyber Regulation – What Does It Mean & Why Is It Necessary

The Securities and Exchange Commission has adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

In short, this is what the new SEC rule asks for:

• The rule requires current reporting about material cybersecurity incidents on Form 8-Ks within four business days;
• The rule requires periodic disclosures regarding, among other things:
  • A firm’s policies and procedures to identify and manage cybersecurity risks;
  • Management’s role in implementing cybersecurity policies and procedures;
  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
• The rule asks for updates about previously reported material cybersecurity incidents.

Why this is relevant and why this is necessary:

1. The Four Day Disclosure Requirement – Marriott waited 11 weeks to reveal that 383 million customer records had been compromised, exposing at least 25 million passport numbers and eight million payment cards. Can you imagine Marriott waiting for 11 weeks to disclose its quarterly earnings numbers? Furthermore, when we examined the Marriott data breach in detail, we discovered that the breach occurred in Starwood’s systems and not in Marriott’s. Somewhat predictably, most, if not all the staff at Starwood Corporate, including those working in information technology and cyber security, were let go as part of the cost savings stemming from the merger.

2. Stock Price Impact – Systematic evidence is beginning to build suggesting that stock prices move in response to news of cyber hacks – especially as more recent attacks involve ransomware. A cyber-attack produces a negative stock price reaction more often than not. By waiting to announce a cyber-attack, stocks can be bought and sold without knowing or understanding the damages that have potentially already occurred.

3. Intellectual Property and Lost Data – The value of the lost IP and data needs to address not only the value to the entity but also to the capital markets and the economy. The U.S. Department of Commerce estimated that stolen IP cost the U.S. Economy between $200 billion and $250 billion annually.

4. Understanding the Value and Impact of Lost Production – If an automotive company produces 120,000 cars per year and the revenue per car is $10,000, the daily revenue lost by a cyberattack to its factory that relies heavily in robotics would be around $3.3 million. As we have seen with incidents at Colonial Pipeline and JBS (meat packing), these attacks can take a business offline and can result in a loss of revenue, expose the organization to liabilities, and erode its reputation.

5. Disaster Recovery and Continuity Planning – A continuity plan identifies the critical information an organization needs to continue operating during an unplanned event, such as a cyberattack or natural disaster. The plan then highlights systems and processes that must be sustained and details how the company plans to sustain and recover itself. This will now be an absolute must for all organizations in scope.

As with many companies, there is a noticeable absence of expertise in cyber risk management at the board level and at the executive management level. Now that the SEC has put the board, “on the hook,” corporate accountability should improve and mitigate the damage from cyber breaches to customers and to our country. In addition, there is an element of ethics that needs to be adhered to – especially due to changes in stock price and negative valuations due to a cyber-attack.