An In-Depth Look at the SEC’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule

On Aug. 2, we distributed an alert about the U.S. Securities and Exchange Commission’s (SEC) July 26, 2023, adoption of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. Our focus in that alert was on the new “Material Cybersecurity Incident” standard to determine the required reporting on cybersecurity incidents. Also in that alert, we briefly mentioned that the rule will require all registrants to provide new annual disclosures, whether a smaller reporting company or not, beginning with annual reports for the fiscal year ending on or after Dec. 15, 2023. We now provide more information on that required reporting.

This new reporting rule was promulgated because the SEC contends “that investors need information on registrants’ cybersecurity risk management and strategy.” Whether investors are qualified to assess risk frameworks, management, strategy or cybersecurity governance is debatable. Investors are likely more at home analyzing investment risks such as annual recurring revenue (ARR), cash flows, costs, margins, debt and maintaining projections for revenue and earnings. Such cybersecurity terms as data loss prevention, vulnerability scans, honey pots, API keys, common vulnerabilities and exposures, security information and event management—to name a few—are probably not in their daily thoughts, but those terms are part of the cybersecurity professional’s vocabulary. Regardless, it is not debatable that privacy and cybersecurity have become distinguishing characteristics of company goodwill and branding. Although a company’s first reaction may be that such reporting is an overreach, a burden and gives too much information to the bad guys, it is also an opportunity to add to a company’s cybersecurity brand. Importantly, the SEC is not asking you to change how you manage your cybersecurity risk, only to report on it. The same cannot be said for other agencies like the Federal Trade Commission, but we leave that for another alert.

The SEC’s goal is “to inform investors, not to influence whether and how companies manage their cybersecurity risk.” To that end, the clock is ticking and companies should start the process of evaluating their cybersecurity program and start thinking about how they will report it on Item 106: “As adopted, … Regulation S-K, Item 106(b)(1) requires a description of ‘the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.’”

Specifically:

(b) Risk management and strategy. (1) Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:

• Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;

• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and

• Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

(2) Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

Although there are rumors that Congress may overturn the SEC’s Rule using the Congressional Review Act, to date, no congressperson has confirmed those rumors. Given that, it is prudent for registered companies to move forward with a compliance and reporting program.

Keeping in mind that the disclosed information will be publicly available to not only investors but also hackers that would cherish a roadmap on how to attack your systems and data, there is a fine line to walk here. Cybersecurity counsel, in collaboration with your chief information security officer and securities counsel, can help in determining that line or in the event you need to choose a cybersecurity risk management framework. There are many industry-acceptable frameworks available. Reach out to one of the authors for more information.

THIS DOCUMENT IS INTENDED TO PROVIDE YOU WITH GENERAL INFORMATION REGARDING THE SEC'S CYBERSECURITY RISK MANAGEMENT, STRATEGY, GOVERNANCE, AND INCIDENT DISCLOSURE RULE. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. IF YOU HAVE ANY QUESTIONS ABOUT THE CONTENTS OF THIS DOCUMENT OR IF YOU NEED LEGAL ADVICE AS TO AN ISSUE, PLEASE CONTACT THE ATTORNEYS LISTED OR YOUR REGULAR BROWNSTEIN HYATT FARBER SCHRECK, LLP ATTORNEY. THIS COMMUNICATION MAY BE CONSIDERED ADVERTISING IN SOME JURISDICTIONS. THE INFORMATION IN THIS ARTICLE IS ACCURATE AS OF THE PUBLICATION DATE. BECAUSE THE LAW IN THIS AREA IS CHANGING RAPIDLY, AND INSIGHTS ARE NOT AUTOMATICALLY UPDATED, CONTINUED ACCURACY CANNOT BE GUARANTEED.