SEC Changes Disclosure Rules

In July 2023, the SEC announced new rules to standardize the timeliness of cybesercurity incident disclosures resulting in a 4 business-day disclosure period for incidents with “material” impact. The rules also require companies to disclose how they are managing cybersecurity risks with details on their detection and incident response (IR) actions. With the average time to detect and incident of 207 days[2] and containment of 73 days[3], the SEC’s new rules is expected to have a turbulent life.

“Material” impact

SEC rules discuss “material” impact as a key factor for the disclosure clock to start ticking. Material is attached to a (fictitious) investor that would place value in the incident. Material isn’t determined by those that are affected but by those that could be financially affected by the result of an incident. Read: the affect on the average person is immaterial to determining whether an incident is material or not. And, there is currently no thresholds or quantitative guidance from the SEC on what financial impact constitutes “material” [9].

For corporations wishing to better quantify cybersecurity impact, a risk assessment with financial impact could be done. This would also help CISOs prioritize investment to help buy down risk. Answering the question “if we lost control of X, how much would it cost to recover?” would help to play out the total cost to the organization. Consideration for lawyers, physical mailings, brand or reputation damage, and external consultants should be included in the recovery cost.

Jumping the Gun

The amount of information known within 4 days after disclosure can greatly vary by incident. Looking at the recent cyber incident against MGM Grand Resorts, Form K-9 discloses nothing other than there’s “been an incident” [5] and not much more in their press release. It appears that there is no requirement to continuously update the 8-K as new information is obtained.

On the other hand, the SEC filed Form 8-K for Caesars cyber incident has more text to it. However, it is boilerplate text designed to give comfort to anyone that might be affected, such as their shareholders. What is of note, and that relates to the new SEC rules, is Caesars statement of how they are managing the cyber incident.

The net result is that companies may be forced to put forth information that, given more time, is erroneous or immaterial to the incident at hand.

Small Business Impact

Biggest impact will be on small companies that don’t have a security group and rely solely on IT or multi-hatted individuals. While smaller companies have an additional 180 days from rule publication to start complying, the burden on smaller companies is great. Small businesses are at risk for cyber incidents just like large companies. Over 40% of cyber attacks were against small businesses with less than 1000 employees [6][7]. Yet there’s been “a decline in focus on cyber hygiene among small businesses,” according to RedScan[4]. Cybersecurity measures are often seen as sunk costs instead of strategic investments and are prioritized as such within small businesses. In fact, studies indicate that only 14% of SMBs (small-medium businesses) are ready for any cyber incident.

With cyber incidents resulting in over $1M in cost when all is said and done, SMBs face a clear threat to their solvency.

Conclusion

From the new SEC rules, companies are encouraged to consider how they might now answer the form 8-K. Review of existing cybersecurity practices and (re) evaluation of incident response plans would help to flush out the requirements for reporting. Also, taking another look at risk management with an eye towards the financial risk would improve board-level discussions to secure funding for security improvements.

References

1. SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies – July 2023
2. 161 Cybersecurity Statistics and Trends [updated 2023]
3. SEC’s new cyber disclosure rule
4. Cyber incident response: a guide for small businesses
5. MGM Resorts International Form 8-K
6. 51 Small Business Cyber Attack Statistics 2023
7. 35 Alarming Small Business Cybersecurity Statistics for 2023
8. A Tale of Two Cybersecurity Incidents
9. Water Under the Breach; The Sunk Costs of Cyber Security
10. Caesars Entertainment Form 8-K
11. SEC Regulations: What is a “Material” Cybersecurity Incident?