Navigating the SEC’s 4-Day Disclosure Requirement: A Comprehensive Guide for CISOs 

Author: Marian Reed, Vice President, GRC

In the ever-evolving cybersecurity landscape, the Securities and Exchange Commission (SEC) has introduced a new rule for public companies which requires them to be more transparent about cybersecurity incidents. An Item 1.05 Form 8-K will now be due four business days after a registrant determines that a cybersecurity incident is material.  

To determine if a cybersecurity incident has had a material impact on the company requires a certain level of investigation and gathering of data to determine what that impact really is. Keep in mind these two initial steps in any cybersecurity incident (the first is the most critical here): 

• Detect: This means you are initially responding to an alert – you don’t know whether it is legitimate until after some investigation occurs. 
• When you declare an incident – it is when you have an idea of whether there is a material impact. At this point, your four days countdown starts. 

Too often, companies focus only on the technical aspect of their Incident Response plan and don’t plan for the business aspect. Your IR Plan is incomplete if you have not addressed the business aspect of a cybersecurity incident.  Some companies try to address it by utilizing an attorney and doing it ad-hoc. It takes too much valuable time.  Companies should identify key decisions that must be made as part of their plan and who can do so.   

As a CISO, ensuring compliance and effective incident response becomes paramount. Let’s delve deeper into this SEC’s requirement and discuss some actionable tips to incorporate it seamlessly into your existing Incident Response plan. As the clock begins ticking upon the declaration of an incident, a well-prepared CISO must be equipped to respond efficiently. 

Tips for CISOs to Navigate the New SEC’s Cybersecurity Requirement 

1. Strengthen Business-Centric Incident Response 

Avoid the pitfall of focusing solely on technical aspects and allocate resources to address the business aspect of incident response. Identify key decision-makers responsible for critical business choices during a cybersecurity incident. Collaborate with legal and executive teams to ensure all stakeholders are assigned and involved in the response process. 

2. Proactive Planning for Notification 

Craft a well-defined notification procedure outlining the steps to comply with the SEC’s requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis. 

3. Information to be included on the Form 8-K: 

• Describe processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.  

• Information disclosure. How do you provide enough without disclosing sensitive information or something to benefit attackers? Work on defining this now and prepare a template in case of an attack. 

4. Executive and Board Involvement 

Engage your executive team and board members early in the incident response planning process. Clarify their roles in decision-making and ensure they understand the importance of timely action and disclosure. Their support can expedite the process and lend credibility to your cybersecurity efforts. 

5. Incident Impact Assessment 

Prepare your incident response team to conduct swift and comprehensive impact assessments. Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline. 

6. Data Protection and Disclosure Balance 

Striking a balance between providing enough information for compliance and safeguarding sensitive details from potential attackers is challenging. Develop protocols to protect confidential information during public disclosures, and collaborate closely with legal counsel to ensure compliance with disclosure regulations. 

7. Regular Plan Reviews and Third-Party Assessments 

Review and update your Incident Response Plan regularly to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention. 

8. Conduct Tabletop Exercises 

Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team’s skills and enhance preparedness to the new 4-day deadline. 

9. Foster a Culture of Cybersecurity Awareness 

Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks. 

As the cybersecurity landscape continues to evolve, compliance with the SEC’s new requirement for the 4-day disclosure is crucial for public companies. By proactively incorporating this requirement into your Incident Response Plan and addressing the business aspect, you can enhance your organization’s resilience to cybersecurity incidents.

By following these tips, CISOs can ensure timely and compliant responses to potential cybersecurity threats. Remember, preparedness today is the key to safeguarding your company’s reputation and financial well-being tomorrow. 

For more information, contact our experts today.