[UPDATE September 16: I'm hoping to see friends and colleagues on 9/30 at the BSides CT conference hosted by Quinnipiac University. I'll be presenting a technical implementation talk on C-SCRM process disclosures to meet SEC Cybersecurity Regulations that go live in December 2023]
I commend Venable for providing an accurate and objective interpretation of what is expected with regard to the information that must be reported in a public cyber-incident report (Form 8-k) as described by the SEC in the four day reporting requirement for material cyber-incidents, effective December 2023.
Some US Government entities have been critical of the SEC for taking these positive actions to reduce cyber-crime and appear to "misunderstand" the expectations with regard to information sharing (cyber-incident reporting) and assigning greater responsibility for cybersecurity to Officers and Directors of public companies. The SEC cybersecurity regulations are consistent with other Government cybersecurity initiatives across the world to report on cyber-incidents and improve cybersecurity protections.
Some have expressed concern over the "public nature" of these cyber-incident reports, but these concerns are unfounded when looking carefully at what the SEC is expecting in a public cyber-incident report, Form 8-K, which Venable has pointed out (click Read More button below):
- SEC Requirement for cyber-incident reporting on Form 8-K: Disclose material cybersecurity incidents on Form 8-K within four business days of determining the incident is material, and disclose any material updates on an ongoing basis.
- Compliance with cyber incident reporting rules is required commencing on December 18, 2023
- The term "material". as defined by the SEC regulations is key to understanding what is expected to be reported. The intended audience is the "investor community" for this information, not the FBI, DOJ or other agencies responsible for cybersecurity, such as CISA and DHS.
- Under the rule, companies must determine whether a cybersecurity incident is material without unreasonable delay. Information is material if "there is a substantial likelihood that a reasonable person would consider it important" in making an investment decision. The SEC states that companies should consider both quantitative and qualitative factors such as financial costs, loss of intellectual property, "harm to a company's reputation, customer or vendor relationships, or competitiveness, [and] the possibility of litigation or regulatory investigations or actions."
- SEC's rule requires disclosures of cybersecurity incidents to focus on the material impact of the incident, rather than technical details of the incident itself.
- The SEC's rule also clarifies that companies are not required to disclose technical information in such detail that it interferes with the companies' incident response processes. This includes specific information about the response plan, defensive measures, related systems, or potential vulnerabilities.
In fact, it is highly recommended that reporting parties constrain the cyber-incident information in Form 8-K just as the SEC has recommended with regard to "material" impact, from the viewpoint of investors. DO NOT include technical details of the cyber-incident; technical details should only be shared with proper authorities, such as the FBI, CISA and other authorities using private/confidential communication channels.
Companies need to carefully craft their public Form 8-K cyber-incident reports to ensure that important, confidential technical details are excluded; see "Breaches and the Board" for an example of "investor level cyber-incident report" here: only include the information that would be "material to investors", as recommended by the SEC. By all means, report the cyber-incident details to the FBI and CISA and seek their help, but do so confidentially in private communications.
More information about SEC cyber-incident reporting is available here.