In July, the U.S. Securities and Exchange Commission (SEC) adopted enhanced requirements regarding material cybersecurity incidents and reporting. Through the SEC Whistleblower Program, whistleblowers may qualify for monetary awards for reporting violations of these new cybersecurity disclosure rules.
According to the SEC, the new rules “enhance and standardize” disclosures of cybersecurity risk management, strategy, and governance by public companies under the reporting guidelines of the 1934 Securities Exchange Act of 1934. The SEC determined that inconsistent disclosure practices necessitated new rules. Investors should now be able to understand material cybersecurity risks and how companies manage and mitigate them.
Per the SEC, information is material “to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security registered.”
The need for more stringent measures was prompted by noticed trends. Increasing cybersecurity incidents pose risks and high costs to public companies, their consumers, and investors in a market that is increasingly digitized operationally, opening up new venues for privacy breaches.
SEC Chair Gary Gensler underscored the importance of the changes: “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
On the new Item 1.05 of Form 8-K, registrants must now disclose any cybersecurity incident-determined material, the nature, scope, and timing of the incident, and its impact. Companies have four business days to report to the SEC after determining that a cybersecurity incident is material.
The SEC outlines that the disclosure “may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”
An additional new rule is Regulation S-K Item 106, which requires registrants to describe their processes of assessing, identifying, and managing material risks from cybersecurity threats, and the material effects learned from prior incidents.
This regulation requires registrants to outline the oversight a Board of Directors has over risks from cybersecurity threats, as well as management’s role and expertise in assessing and managing material risks from cybersecurity threats. Registrants must disclose this in their annual report on Form 10-K.
Foreign private issuers must make comparable disclosures through Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
The widened scope of reporting indicates an increase in serious cybersecurity threats and incidents with a need for accountability. The SEC wants comprehensive oversight to address and understand current threats to companies, investors, and the public. These rules make it so companies must enforce robust cybersecurity practices so that they can efficiently evaluate the materiality of a breach to be able to report it within the four days provided.
Through the SEC Whistleblower Program, qualified whistleblowers – individuals who voluntarily report original information that leads to a successful enforcement action where the SEC collects at least $1 million – are entitled to monetary awards of 10-30% of the funds collected by the government.
Even prior to the adoption of the new cybersecurity disclosure rules, the SEC has taken enforcement actions against companies for deficient cybersecurity procedures and misleading disclosures. For example, in March, Blackbaud Inc., a company that provides donor data management software to non-profit organizations, agreed to pay the SEC $3 million to settle charges for “making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.”
Since the SEC Whistleblower Program was established in 2010, whistleblower disclosures have resulted in more than $6 billion in sanctions. Correspondingly, the SEC has awarded over $1.5 billion to whistleblowers.