Without clear guidance, SEC’s new rule on incident reporting may be detrimental

The SEC has instituted a set of guidelines “requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” These new guidelines went into effect on December 18, 2023, which means 2024 will be an important year for enterprises and how they adhere to current security regulations.

Establishing a reporting infrastructure that sheds light on what, how, and when security incidents are disclosed is important for the industry at large and is a huge step toward having cybersecurity seen as a business-wide issue. However, critical pieces of the SEC’s regulations are lacking specificity which leaves companies to their own discretion (and confusion) of what constitutes a “material” incident, and what the full scale of penalties may be for a failure to disclose appropriately.

In 2024, that ambiguity must be cleared up: without clear guidance, companies may over-disclose information to the point of creating noise that masks truly material incidents.

The minimum bar will probably be set by precedent

Cybersecurity incidents are highly diverse and continuously evolving, posing a unique challenge for companies. When handling larger-scale data breaches, companies often err on the side of caution, opting for comprehensive disclosure to mitigate legal risks.

The challenge with these new guidelines arises from the SEC’s directive that mandates registrants disclose any cybersecurity incident deemed materially significant, detailing, “… the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” This requirement leaves considerable interpretive leeway, and concrete definitions are likely to emerge only through legal precedent. Naturally, companies are hesitant to become test cases for these definitions.

This ambiguity may prompt businesses to over-communicate with the SEC, ensuring exhaustive compliance with the immediate disclosure requirements. However, this approach risks diluting the significance of “material” information. Investors relying on a company’s 8-K filings for insights into the impact of a cyber incident might consequently overlook critical details amid the information overload.

To counter this, the SEC needs to engage in proactive dialogues to clarify disclosure requirements, particularly regarding the frequency and extent of details needed. In the absence of such guidance, “regulation by enforcement” could inadvertently become the norm for businesses yet to be exemplified in a legal setting.

Not all cybersecurity incidents require public disclosure

Determining the materiality of an incident is another ambiguous mandate in the SEC’s rules. Companies will have four business days to disclose an incident determined to be material, unless immediate disclosure poses a risk to national security or public safety (which must be approved via a formal exception process).

Companies must also determine materiality following discovery of the incident “without reasonable delay.” How long does it take to determine materiality? Again, the answer is a moving target based on the scope and nature of the cyber incident, so companies may err on the side of caution. If everything gets reported out of fear, the intention of the disclosure regulation may be devalued.

There’s a pressing need to define more clearly what constitutes a material breach, including its impact on those affected, its influence on a company’s operations, and its future implications. Not all incidents warrant public disclosure; many can be managed internally, without significant disruption to normal operations.

Over-reporting also has internal repercussions. It consumes significant resources to assess the materiality of a breach, particularly under the pressure of regulatory compliance. In the absence of clear guidelines, resources that could be better used in addressing the breach and bolstering overall security may be redirected towards compliance activities. Therefore, proactive guidelines from regulatory bodies are crucial not only for external stakeholders, but also for strengthening the company’s future security posture.

Conclusion

2024 is shaping up to become a pivotal year for cybersecurity companies and shareholders, where more than likely, “regulation by enforcement” will be a common theme for companies experiencing material cyber incidents.

There is an ongoing process to define what makes a cybersecurity incident “material” and to establish better baselines for a “minimally viable” security posture. Clear action and guidance from regulators are imperative in this context. If regulators and the industry aren’t proactive in this area, the “play it safe” mentality may result in an overload of information, diminishing the effectiveness of these regulations.

It’s important to recognize that cybersecurity incidents are a common occurrence for companies, but not all warrant public disclosure.