The effect of the SEC’s new cyber disclosure rules.
By Ladzer Odotei Blumenfeld, CyberWire stringer
Sep 28, 2023

Judgments of materiality will be central to compliance.

The effect of the SEC’s new cyber disclosure rules.

As public companies deal with the SEC's cyber incident reporting rules, they won't be simply recognizing a cyber incident, but judging its materiality as well.

CISOs are particularly involved with compliance.

Legal Dive offers a closer look at how the US Security and Exchange Commission’s (SEC) newly instated cyber incident reporting rules will impact corporate executives. With the new rules, determining materiality is key, as publicly traded companies are required to disclose cyberincidents within four business days of determining the incident is material to the company’s bottom line. CISOs are responsible for this disclosure, which means they’re also responsible for deciding whether the incident is material, a task that can be challenging to complete in a timely fashion. 

CISOs will also be held accountable for ensuring that the C-suite and board are in the know about any cyber incidents. Failure to do so could result in conviction, as seen earlier this year in the Uber ransomware attack cover-up. As a recent survey from Proofpoint shows, the majority (62%) of CISOs are already concerned about liability when it comes to incident response and governance compliance, and the new rules aren’t making things any simpler. 

CISOs are accustomed to disclosure, but the SEC's rules lend it a new gravity.

Ryan Witt, VP of industry solutions at Proofpoint, states, “The CISO role has never been easy, and it looks a lot less appealing when you add responsibility to the pressure, the on-call hours and the stress.” However, IT firm ServiceNow’s deputy CISO Jeff DiMuro says that for some firms, the SEC’s new rules won’t actually be that big of a change. “The SEC rule we think just memorialized a demarcation of the four-day reporting rule, but these are things we have to do anyway as CISOs for a publicly traded company,” DiMuro says. 

Still, some CISOs are clearly worried, as evidenced by an increase in requests to be given additional liability protection as part of their jobs. Uri Dallal, managing director at professional services firm Aon, explains, “when you get to situations like this where the role is attracting litigation in the way that it’s typically reserved for the CFO and CEO, it’s not uncommon for people to question whether they are covered under the policies, and seek affirmative coverage.” 

Early responses to cyberattacks as the SEC's rules take effect.

The cyberattack that disrupted operations at Clorox was among the first major incidents to fall under the US Securities and Exchange Commission (SEC) rules that went into effect on September 5th. (Compliance dates for mandatory reporting are somewhat later, falling for most companies in December. "The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023," the SEC explained.) The Wall Street Journal reviews how the company has responded publicly to the incident. Clorox has issued six statements, including two Forms 8-K, since the incident was disclosed on September 14th, shortly after it was detected. There are at least two challenges: keeping reporting current as an investigation unfolds ("A stream of 8-Ks will be the new norm,” one expert told the Journal), and determining whether an incident has a material impact on a public company.

The MGM and Caesars incidents also offer lessons in compliance. These two companies face an additional regulatory burden, Dark Reading points out, in the form of oversight by the Nevada Gaming Control Board, whose regulation 5,260 requires "covered entities" (including casino operators) to establish effective cybersecurity measures. In the event of an incident "resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence," a casino operator must disclose the incident to the Board within seventy-two hours and undertake both investigation and remediation of the incident.