SEC Releases Final Rules for Cybersecurity Incident Disclosure: Here’s What You Need to Know!

On July 26, 2023, the Securities and Exchange Commission (SEC) unveiled its final regulation concerning Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (PDF). This rule was developed to address concerns regarding the accessibility of prompt and consistent information regarding cybersecurity for investors. The escalating and persistent threat of cybersecurity incidents to public companies, investors, and market participants is one of the main concerns that led to the enacting of these new rules.

What Are the New SEC Rules on Cybersecurity Incident Disclosure?

The final rules represent a significant step forward in the SEC’s cybersecurity incident disclosure requirements. Here are six key points you should know:

1. Divulgence of Cybersecurity Incidents

The newly established Form 8-K Item 1.05 mandates registrants to divulge any significant cybersecurity incident they determine to be material. This disclosure entails outlining the pertinent facts concerning the incident’s nature, extent, and timeline, alongside its substantial ramifications or reasonably anticipated significant consequences on the registrant.

2. Four Days to Disclose Materially Significant Incidents

Registrants are required to promptly assess the significance of an incident upon discovery. If it is deemed significant, they should submit an Item 1.05 Form 8-K within a standard period of four business days from the moment of determination.

3. The Attorney General Can Delay Disclosure

In cases where the United States Attorney General concludes that immediate disclosure would potentially jeopardize national security or public safety, and communicates this decision in writing to the Commission, the disclosure process might be postponed. If the Attorney General recommends further delay, the Commission will assess subsequent requests for extension and has the authority to provide relief through potential exemptive orders.

4. Disclosure of Risk Management and Mitigation Strategies

The regulation S-K Item 106 mandates registrants to outline their procedures, if applicable, for evaluating, recognizing, and controlling substantial risks stemming from cybersecurity vulnerabilities. Additionally, registrants must detail whether any risks arising from cybersecurity vulnerabilities, including those resulting from prior cybersecurity incidents, have had a substantial impact or have the potential to significantly influence the registrant.

5. Role of the Board of Directors

Item 106 will also necessitate registrants to clarify the supervision of cybersecurity threat risks by the board of directors, along with the role and proficiency of management in evaluating and handling substantial risks originating from cybersecurity threats.

6. Disclosure Requirements for Foreign Private Issuers

Amendments to Form 6-K will stipulate that foreign private issuers must provide details about significant cybersecurity incidents that they publicly disclose or are obligated to disclose within a foreign jurisdiction, whether to a stock exchange or security holders. Additionally, Form 20-F will undergo changes, compelling foreign private issuers to offer regular disclosures that mirror the requirements outlined in the novel Regulation S-K Item 106.

When do the Rules Come Into Effect?

The final rules will become effective 30 days following publication of the adopting release in the Federal Register.

• Form 10-K and Form 20-F: Disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.

• Form 8-K and Form 6-K: Disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.

• Smaller reporting companies: An additional 180 days will be granted to provide Form 8-K disclosure.

What Pathlock Can Do to Help

Though many of the rules address what a company should do once they have detected a materially significant breach or incident, as per regulation S-K Item 106, registrants are also mandated to disclose procedures used to evaluate, recognize, and control risks. This is where Pathlock can enable you to implement a robust security, risk, and compliance framework at the application level. Pathlock offers a range of modules you can deploy based on your specific security needs and risk mitigation requirements across applications.

Identify Access Risk

Pathlock enables you to govern access across multiple applications using a single interface. Our Certifications module allows you to view every single access a user has across your various applications, along with role usage history. Coupled with our Separation of Duties (SoD) capabilities, you can immediately identify users with conflicting roles. We also offer a cross-application Provisioning module that allows you to customize approval workflows, and SoD checks are built into the provisioning process to prevent new risks from emerging.

Implement Fine-grained Controls

Pathlock enables you to implement attribute-based access controls that make access context-aware by enforcing rulesets that meet globally recognized compliance requirements. Using contextual access data, Pathlock allows you to mask sensitive data and implement in-line Multi-factor Authentication. These controls can be triggered at the page, field, and transaction level to meet privacy regulations, restrict data access, and monitor sensitive data access and transactions.

Enforce Compliant Rulesets

Whether it’s SoD, data security, or financial regulations like SOX, Pathlock offers the most comprehensive repository of rulesets for leading ERP and business applications. These rulesets have been built using globally recognized standards that you can implement at the click of a button. Our customers can also customize rulesets based on their unique business needs.

Detailed Reports for Audit

Pathlock solutions are built with audit and compliance requirements in mind. When it comes to key compliance-related processes like provisioning, access certifications, and controls monitoring, our solutions maintain comprehensive logs of user access, changes to data, approvals, mitigations, and transactions. This enables you to continuously monitor user activity, detect suspicious behavior, and maintain an audit trail. Our cross-application, fine-grained visibility provides you with a complete view of SoD risks, even in a SaaS and on-premise hybrid environment, making it simpler to generate reports and share them with your board of directors.

Evaluate, Recognize, and Control Risks with Pathlock

The SEC’s recent rules emphasize the crucial role of transparent cybersecurity incident disclosure. These guidelines demand not only timely reporting but also strong risk management. As these regulations evolve, solutions like Pathlock become indispensable, helping businesses meet disclosure standards and bolster their cyber defenses.

Pathlock enables you to monitor your applications continuously, detect risks, and implement controls that eliminate or mitigate those risks and enhance compliance across applications. Furthermore, our compliant rulesets and audit documentation provide senior management with the assurance they need to report on their risk mitigation and security measures in their annual reports.

Get in touch with us to learn more about how Pathlock can help you successfully meet your security and compliance goals.