Weekly Briefing

Changing the Rules: SEC Cybersecurity Updates for 2024 and What You Need to Know

Listen to this article

The latest SEC (Securities and Exchange Commission) ruling on cybersecurity governance requires companies to disclose material cybersecurity incidents they experience and to report, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.

It is important to note that the SEC ruling is not specific to any particular business. However, they are relevant to all businesses that handle sensitive data and information as they provide guidelines and best practices for managing cybersecurity risks and disclosing cybersecurity incidents.

Understanding this is essential for public companies to ensure compliance and avoid potential penalties. However, it is equally as important for any company with investors who need to make informed investment decisions. This report explains this ruling, its significance to your business and provides guidance to chart a course for success.

The SEC Ruling

Key Components

The U.S. Securities and Exchange Commission (SEC) has enacted new rules that will significantly impact cybersecurity governance and disclosure for public companies. These changes are important because they promote better cybersecurity practices, enhance transparency, and emphasize the role of governance in managing cybersecurity risks. They can help protect your business and those you do business with from cyber threats and build trust with your stakeholders. The ruling focuses on three key functions:

Material Cybersecurity Incidents: Companies are required to disclose material cybersecurity incidents within four business days of determining the incident's materiality. The rules follow the 8-K reporting standard. The disclosure should describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

Cybersecurity Risk Management and Strategy: Annual disclosures in Form 10-K will require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies will also need to disclose whether risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, operations, or financial condition.

Cybersecurity Governance: Companies will need to disclose their cybersecurity governance practices in their annual report on Form 10-K. This includes the board of directors’ oversight of cybersecurity risk and management's role and expertise in assessing and managing material risks from cybersecurity threats.

Significance

These new SEC rulings on cybersecurity governance and disclosure can have significant implications on your business that you must be prepared for:

Risk Management: The new rules require companies to disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats. This encourages businesses to establish robust cybersecurity risk management strategies, which can help prevent cyber-attacks and mitigate the damage if they occur.

Transparency and Trust: By disclosing material cybersecurity incidents and their impact, companies can build trust with their stakeholders, including customers, employees, and investors. Transparency about cybersecurity incidents can also help businesses learn from each other’s experiences and improve their own cybersecurity practices.

Regulatory Compliance: Non-compliance with the new rules can result in penalties from the SEC. Therefore, it’s important for businesses to understand and comply with the new rules to avoid potential legal and financial consequences.

Board Oversight: The new rules emphasize the role of the board of directors in overseeing cybersecurity risk. This can lead to more informed decision-making at the highest levels of the company, which can ultimately strengthen the company’s cybersecurity posture.

Material Cybersecurity Incidents

What is Materiality?

According to the Harvard Business School, materiality is an accounting principle which states that all items that are reasonably likely to impact investors’ decision-making must be recorded or reported in detail in a business’s financial statements using GAAP standards.

Essentially, materiality is related to the significance of information within a company’s financial statements. If a transaction or business decision is significant enough to warrant reporting to investors or other users of the financial statements, that information is “material” to the business and cannot be omitted.

Material vs. Immaterial Information

What’s considered to be material or immaterial will differ based on the size and scope of the firm. Ultimately, the type of information that’s material to an organization’s financial statements will vary and depend on the size, scope, and business priorities of the firm.

Financial

Material items can be financial (measurable in monetary terms) or non-financial. A business might need to report a pending lawsuit to the same degree it reports its revenues because both pieces of information could impact investors’ view of the company.

Personally Identifiable Information

Yes, Personally Identifiable Information (PII) can be considered material under certain circumstances. Materiality is typically defined as information that, if disclosed, could reasonably be expected to influence economic decisions, or affect the market value or

trading price of a company's securities. In the case of a private company, the is a value and reputational risk consideration for investors.

In the context of cybersecurity, if a company experiences a data breach that involves the loss or compromise of PII, this could have significant implications for the company's reputation, customer trust, and potentially its stock price or company value for private entities. Therefore, such a breach could be considered a material event that would need to be disclosed under the new SEC rules.

However, the specific circumstances and potential impact of the loss or compromise of PII would likely determine whether it is considered material. It's always a good idea to consult with a legal or cybersecurity professional to understand how these rules apply to your specific situation.

Payment Card Industry Data Security Standards

The Payment Card Industry Data Security Standard (PCI DSS) is the main information security standard for organizations that process credit or debit card information. So, yes, PCI compliance would be considered during a material cybersecurity breach. For the CRE industry, PCI typically comes into play through parking systems, kiosks, food trucks or other third-party and/or IoT services offered throughout a property.

If a company experiences a data breach that involves the loss or compromise of cardholder data, this could have significant implications on reputation, customer trust, and potentially stock price. Therefore, such a breach could be considered a material event that would need to be disclosed under the new SEC rules.

Moreover, public companies must not only timely disclose material cybersecurity breaches, but they must also disclose the mere risk of a cybersecurity incident if a breach would cause a material impact to the company’s functions, operations, profitability, or performance.

However, it's important to note that being PCI compliant does not guarantee security. There have been instances where companies deemed PCI DSS compliant have still suffered breaches. This highlights the importance of not just achieving compliance but maintaining a robust and proactive cybersecurity posture, including governance.

Environmental, Social And Governance

With a bigger investor focus on sustainability nowadays, a business might want to include information related to its environmental, social, and corporate governance (ESG) practices to assure shareholders that the business is a sustainable investment. This could include how OT networks are designed, monitored, managed and updated, including remote access processes and vendor management. The governance aspects show commitment to addressing Cyber Security and Awareness.

Cybersecurity Risk Management and Strategy

Cybersecurity Risk Management

Cybersecurity risk management is the process of identifying, prioritizing, managing, and monitoring risks to information systems. Companies across industries use cyber risk management to protect information systems from cyberattacks and other digital and physical threats. Cyber risk management has become a vital part of broader enterprise risk management efforts.

The cybersecurity risk management process involves identifying the most critical threats and selecting the right IT security measures based on business priorities, IT infrastructures, and resource levels. The process is typically handled by a mix of stakeholders, including directors, executive leaders like the CEO and chief information security officer (CISO), IT and security team members, legal and HR, and representatives from other business units. While framework methods differ slightly, they all follow a similar set of core steps.

The core steps of the cybersecurity risk management process include:

1. Risk framing: Defining the context in which risk decisions are made.
2. Risk assessment: Identifying and analyzing risks to the organization's information systems.
3. Risk mitigation: Implementing controls to reduce the impact and likelihood of threats.
4. Risk monitoring: Continuously monitoring and reassessing risks to ensure that controls remain effective.

It's important to note that evaluating cyber risk with total certainty is impossible, as companies rarely have full visibility into cybercriminals' tactics, their own network vulnerabilities, or more unpredictable risks like severe weather and employee negligence. For this reason, authorities suggest approaching cyber risk management as an ongoing, iterative process rather than a one-time event.

Understanding Impact

The increasing reliance on technology in today's world makes protecting sensitive information a more critical priority than ever before. By identifying and understanding the business impacts of a cyber event, organizations can maneuver and assess damages more quickly and take the necessary steps to minimize the damage while preventing similar future attacks.

A business impact analysis (BIA) is a method used to identify the operational and financial impacts of cybersecurity breaches, natural disasters, or any type of disruptive event. It helps predict the consequences of these disruptions to business processes, so you have the data you need to proactively create recovery strategies.

The best way to know the impact of a cybersecurity breach is to assess the damage caused by the breach. Cybersecurity breaches can have severe consequences, including financial losses, reputational damage, and loss of sensitive information, including client or tenant data. To understand the impact of a cybersecurity breach, start by assessing/measuring the following:

Financial impact: This includes the direct and indirect costs of the breach, such as lost revenue, legal fees, and regulatory fines.

Operational impact: This includes the impact on the organization's ability to function, such as downtime, lost productivity, and damage to equipment.

Reputational impact: This includes the impact on the organization's reputation, such as loss of customer trust and negative media coverage.

Legal impact: This includes the impact on the organization's legal standing, such as lawsuits and regulatory investigations.

Cybersecurity Strategy

Cybersecurity strategy is the plan of action designed to protect an organization's information systems from cyberattacks and other digital and physical threats. The strategy typically involves identifying the most critical threats and selecting the right IT security measures based on business priorities, IT infrastructures, and resource level.

Implementing safe cybersecurity best practices is important for organizations of all sizes. Using strong passwords, updating software, thinking before clicking on suspicious links, and turning on multi-factor authentication are the basics of what we call “cyber hygiene” and drastically improve online safety. However, these are only the basics.

Technology and tools alone do not create a strategy. As stated previously, your cybersecurity strategy must be an ongoing, iterative process with assigned ownership and governance controls. Cybersecurity strategies without operational oversight have a very high failure rate.

Governance

The Board Of Directors

The board of directors (the board) plays a critical role in ensuring the cybersecurity of the organization. The board is responsible for setting the overall strategy for the organization and ensuring that management is taking appropriate measures to protect the organization against cyber threats.

The board also has a fiduciary duty to oversee the cybersecurity risks and incidents that may affect the organization’s financial performance, legal liability, reputation, and stakeholder interests. Not only should the board be aware of the SEC’s rules on cybersecurity disclosure, but also understand their implications for the organization’s cybersecurity policies and procedures, as well as disclosure obligations and potential liability.

Cybersecurity is a complex and dynamic issue that requires constant vigilance and adaptation. The board must ensure that they have adequate knowledge and expertise on cybersecurity, and that they receive regular and timely reports from management and external experts on the organization’s cybersecurity status, challenges, and opportunities.

Building a culture of cybersecurity awareness and resilience throughout the organization begins with the board.

Enforcement

The SEC enforces its rules on cybersecurity reporting by conducting examinations, investigations, and enforcement actions against public companies that violate the rules or fail to disclose material information about their cybersecurity practices and incidents.

The SEC can impose civil penalties, injunctions, cease-and-desist orders, disgorgement, and other remedies for such violations. The SEC also coordinates with other federal and state regulators, law enforcement agencies, and self-regulatory organizations to address cybersecurity issues and protect investors.

In Summary

The new rulings by the SEC on cybersecurity disclosure have significant implications for all companies. They aim to provide investors with timely, consistent, and comparable information about a company's cybersecurity risks, which can help them make informed investment and voting decisions.

1. Disclosure of Cybersecurity Incidents: Companies are required to disclose any cybersecurity incident they determine to be material. They must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact.
2. Form 8-K Filing: The disclosure of a material cybersecurity incident must be made on the new Item 1.05 of Form 8-K. This filing is generally due four business days after a company determines that a cybersecurity incident is material. However, the disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
3. Annual Disclosure: Companies are required to disclose material information regarding their cybersecurity risk management, strategy, and governance on an annual basis in form 10K. This includes describing their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
4. Board Oversight and Management Role: The new rules also require companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

The new SEC rules on cybersecurity disclosure primarily apply to publicly traded companies. But it's important to note that while these rules may not directly apply to privately owned companies, they could still influence best practices in the private sector through partnerships and investor relations. It’s always a good idea to stay informed about regulatory changes that could potentially impact your business.

Don Goldstein, CEO, 5Q As CEO, Don Goldstein is responsible for the overall leadership, operations, cyber security strategy, and direction of 5Q’s four service lines. He is an accomplished, award winning C-Level technology executive as Global CIO and CISO, with a distinguished 37-year career of providing robust technology and cyber security solutions to enable business growth. He possesses over 22 years of commercial real estate experience across all lines of business with the largest commercial real estate services, investment management and development company in the world.

Read Next

4/18/2024
Best Practices for Managing Lease Renewals When your commercial leases come up for renewal, it’s a great opportunity to assess your real estate portfolio, consider the value of current leases and possibly negotiate better terms.

4/11/2024
3 Reasons to Incorporate AI Into Your Talent Retention Strategy Introducing new technology into the workplace is often met with suspicion.

4/4/2024
Operational Technology (OT) Data Data has been a cornerstone of business since the early days of computing in the 1960s.

3/28/2024
The Tech-Forward Response to Rising CRE Cap Rates is Also People-First Cap rates on commercial real estate have been rising for five consecutive quarters, leading to an estimated 20% drop in value for many property types, according to CBRE’s latest U.S. Real Estate Market Outlook.