This article was updated August 30, 2023.

Properly responding to material incidents could protect your organization from receiving charges from the SEC.

The SEC published its final rule meant to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

Evaluate Incidents Carefully

Nonmaterial cyber incidents don’t have to be disclosed to the SEC; however, the number of material cybersecurity incidents is likely higher than organizations report.

What if some of the cybersecurity incidents organizations originally deemed nonmaterial are actually material? How well do organizations evaluate incidents to determine whether they’re material?

SEC Enforcement Cases

In the past, the SEC rarely enforced actions on cybersecurity incidents. However, three enforcement cases against companies indicate things are changing.

A property title company in California, an educational services company in the United Kingdom, and a software company in South Carolina received enforcement actions for not properly disclosing facts surrounding a material cybersecurity incident.

In each case, front-line IT personnel might not have:

• Fully understood how their company defined materiality
• Been incentivized to report the vulnerability up the chain of command
• Made necessary changes to systems or programs in a timely manner
• Describe the incident accurately and completely

The Division of Enforcement within the SEC is signaling a hard line against companies that haven’t designed and implemented cybersecurity disclosure controls that accurately and completely mention all material facts regarding incidents. Registrants should know the new rules give the SEC a new basis for bringing enforcement actions.

Responding to a Cybersecurity Incident

With its enforcement actions, the SEC signals that employees with knowledge of security vulnerabilities are expected to communicate this information up the chain of command accurately and completely. Those charged with reporting material incidents must do so in four days.

Who Should Be Told?

The front-line IT team should inform people in senior management responsible for deciding whether to make a public disclosure.

This could include members of the board and audit committee, the CEO, CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).

SEC Final Rules

New Item 1.05 of Form 8-K

Registrants will be required to disclose on this item any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The disclosure may be delayed if the US attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing.

New Regulation S-K Item 106

This will require registrants to describe annually any processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.

Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.

Applicability to Foreign Private Issuers

The rules require comparable disclosures by FPIs on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Effective Dates

The final rules will become effective September 5, 2023. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosure requirements will be applicable beginning December 18, 2023. Smaller reporting companies will have an additional 180 days, until June 15, 2024, before they must begin providing the Form 8-K disclosure.

The Role of an Internal or External Auditor

The auditor focuses on the IT risks impacting financial reporting. They assess the ITGCs design and operating effectiveness to ensure the effective operation of automated controls, and completeness and accuracy of key reports or information provided by the entity (IPE).

A cybersecurity incident could happen without being identified or disclosed to the audit engagement team. The auditor should assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should consider the effect of the breach on the company’s operations, and potential financial implications.

The auditor should assess whether the incident resulted from a deficiency in internal controls over financial reporting (ICFR), such as excessive user access, deficient change management controls, or an unpatched system, and whether remediation of any control breakdown has taken place.

The auditor should revise the risk assessment and document the relevant considerations of the cybersecurity incident on the audit.

The auditor should discuss with management and the audit committee the nature and type of disclosures the company is considering in its financial statements or notes to those statements. The auditor should also ensure the audit committee was adequately informed as soon as practical.

We’re Here to Help

For guidance on cybersecurity disclosure controls and procedures or SEC cybersecurity requirements, contact your Moss Adams professional.

Additional Resources

• Assurance Services
• IT Compliance Risk & IT Compliance Services