While the SEC’s disclosure rules came at an already stressful time for CISOs, conflicting information and guidance make compliance even more challenging. There are debates around the SEC overstepping in telling companies how to manage risks, disclosure timelines being too short, and requiring the presence of board members with expertise. In this blog, I will walk through the top three SEC cyber rule misconceptions I have seen.
Before diving into the misconceptions, I’d like to provide information on the ruling, which is structured into three sections— periodic reporting, regular reporting, and board involvement. As the rules were being developed during the past eighteen months, each section went through the following phases:
- Proposed amendments
- Final amendments
The proposed amendments are the rules that were originally presented, comments refer to feedback that was received, and final amendments are the rules that the SEC has adopted. Most of the misconceptions we are hearing stem from amendments that were proposed, but never adopted in the final rules. The following are the top three.
Timelines for incident disclosure
The first misconception being addressed is the idea that the timeline for disclosure is unreasonable and aggressive. I’ve seen comments and articles using language referring to the timeline as having “4 days after an event to disclose it to the public”. While the timeline involves a 4-day period, the clock doesn’t start when the event occurs. The countdown begins when a material determination has been made. From this point, a company has 4 days to file an 8-k, disclosing their materiality determination. The SEC originally said a material determination must be made “as soon as reasonably possible”, but they received comments around this being too harsh. They refined it a bit, and changed it to “without unreasonable delay”, which relaxes the timeline a bit more.
The countdown begins when a material determination has been made.
The concept of materiality in security events is a new concept, so the misunderstanding makes sense. Companies cannot put off determining materiality, but the SEC acknowledges that information and evidence needs to be gathered before a company can confidently determine the financial and operational impacts.
Power of influence
The next misconception I’ve been seeing a lot of is the idea that the SEC is overstepping in telling companies how to manage their cybersecurity risks. The SEC does not, at any point in the ruling, discuss or develop rules telling a company how they manage their security risks. In response to comments they received, they stated:
“… we confirm that the purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.”
This holds true in all the rules they adopted. The SEC is requiring increased and consistent reporting around events and policies relating to a company’s cybersecurity, but they won’t tell a company how to do it. This increased transparency might encourage an organization to “tidy up” a bit, but that is their choice. If a company discloses what they are (or are not) doing, they check the box.
Board disclosure requirements
Finally, I’d like to address the misconception that the SEC is requiring a presence or disclosure of cybersecurity expertise on their board. While there was a proposed amendment to require companies to disclose if any board members have expertise, it was not accepted. In response, the SEC claimed “…investors can form sound investment decisions based on the information required by Items 106(b) and (c) without the need for specific information regarding board-level expertise”. A company is not prohibited from including this information, but the SEC is not explicitly requiring it.
We want to filter out the noise and provide companies with an easy and actionable roadmap to achieve compliance. Axio is getting ready to offer its official SEC compliance playbook, and we’d love to have you join us in the official launch of it on January 17th. Sign up here if you want to learn more. Let us help you, so you can get back to focusing on what’s most important.