By Chrisopher Hetner, Senior Executive, Board Director, and Leader in Cybersecurity, Former SEC Chair Senior Cybersecurity Advisor; Ali Plucinski, Cyber Threat Analyst, RANE; Dominique Shelton Leipzig, CEO, Global Data Innovation
As we approach the one-year mark since the implementation of the U.S. Securities and Exchange Commission (SEC)’s cybersecurity disclosure rules, it is imperative for board directors to understand the evolving landscape and strategic implications these rules present. This review offers insights into how companies can best learn to adapt to the requirements moving forward.
The SEC’s rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which were adopted in July 2023 and went into effect December 2023, introduced a range of new cyber requirements for publicly traded companies. The rules require companies to submit disclosures of cyber incidents in Form 8-K within four days of being deemed material, as well as periodic disclosures regarding their cybersecurity risk management, strategy, and governance in Form 10-K and annual reports.
The introduction of these rules was met with apprehension due to their novelty and the perceived ambiguity in key areas such as the concept of “materiality.” This term was heavily debated among registrants given the lack of definition, which stated only qualitative factors like harm to a company's reputation, customer or vendor relationships, or competitiveness and the possibility of litigation, regulatory investigations or other actions should be considered. Similarly, there was uncertainty about the Form 10-K and how much explicit information needed to be disclosed in the form to constitute good faith transparency and compliance with the agency’s expectations. In May, the SEC issued guidance around companies’ specific responsibilities under the rules with respect to disclosure of cybersecurity incidents using Form 8-K. This was in response to companies disclosing non-material incidents under Item 1.5 as opposed to Item 8.01. This highlights the challenges by companies in determining how cybersecurity incidents introduce material operational, business and financial impacts.
As a result, companies have been navigating these waters with caution, balancing regulatory compliance with the risk of providing a roadmap for potential cyberattacks. Board directors must provide oversight to ensure their companies have robust mechanisms in place to quickly identify and assess the materiality of cyber incidents. This requires an understanding of what constitutes a ‘material’ cyber incident and the potential impacts on the company’s operations, reputation, and financial health. Ongoing educational courses, such as the NYU Law-Nasdaq Center for Board Excellence Cybersecurity Scholar Certification Program, are valuable resources for board directors to enhance their understanding of cybersecurity issues and effective oversight. It is important that board directors understand:
Since the rules entered effect, public disclosures and studies have shed light on how companies have navigated the new requirements. Early 10-K disclosures by companies such as Lockheed Martin, Schlumberger, and United Rentals have set a precedent in how cybersecurity oversight should be communicated to shareholders. All three companies clearly stipulated that they employ a cyber leader who is responsible for overall cybersecurity and that the board plays a role in cybersecurity oversight; however, the companies differed in their precise description of oversight. For example, one company disclosed that its board was “regularly” informed while the other two companies shared that their boards receive cyber reports quarterly. Moreover, while all three companies disclosed their board is aware of all cyber incidents deemed to have a strong business impact, none defined their concepts of materiality. These disclosures not only highlight the board’s role in cybersecurity oversight but also reflect varying approaches to describing such oversight, underscoring the lack of uniformity in how companies interpret and implement the SEC's guidelines. This may necessitate more frequent and detailed briefings from cybersecurity teams and external advisors to ensure board directors are informed and involved in the strategic planning of cybersecurity measures, including that the company’s cybersecurity strategy aligns with its overall business objectives and risk management framework.
A review of 10-K disclosures published by Forbes in June 2024 offers further insights into how companies approach the SEC’s rules. While most SEC registrants cited their readiness to respond to cyber incidents, far fewer went as far as to explicitly describe preparedness strategies and largely used generic language to discuss their cybersecurity efforts. Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods. The report claims that “public companies appear to be overstating their cybersecurity governance capabilities in their 10-Ks…companies do not yet know how to define what cybersecurity risk management is, how they determine what cyber risks and incidents would be qualitatively and quantitatively material, or how they discern strategy from governance.”
The landmark SEC lawsuit against SolarWinds, stemming from the 2020 cyberattack that compromised over 18,000 customers, highlights the importance of cybersecurity disclosures. In October 2023, the SEC took action against SolarWinds and its Chief Information Security Officer (CISO), marking the first time a public company and its CISO faced legal consequences for inadequate cybersecurity disclosure practices. The case, which occurred before the new SEC rules were officially in place, focused on SolarWinds' transparency regarding its cybersecurity measures and accused the company of misleading investors by not fully disclosing security vulnerabilities. This case emphasized the need for detailed and specific cyber risk disclosures, criticizing the company for omitting essential information about significant and longstanding cybersecurity threats.
Throughout 2024, the variability in companies’ disclosures illustrated the challenges of complying with the SEC’s cybersecurity disclosure rules. Although much of the case against SolarWinds was dismissed, this outcome signals the SEC’s continued emphasis on rigorously enforcing disclosure standards. While the court's decision was perceived as a victory for companies hesitant to disclose detailed information in 10-K filings, the SEC more recently charged four additional software companies for misleading cybersecurity disclosures related to the SolarWinds breach on October 22. These companies, which settled with civil penalties ranging from $990K to $4M, were criticized for using generic language that obscured the full impact of the breach, highlighting the financial and reputational risks of non-transparent disclosures and indicating the SEC will likely maintain rigorous enforcement of these disclosure rules.
It is important for board directors to understand how to achieve the right balance in 10K disclosures. Disclosures that are too vague may raise doubts about a company's cybersecurity readiness and potentially erode investor confidence. Conversely, overly detailed disclosures could inadvertently reveal weaknesses that might attract cyber threats or suggest a lack of cybersecurity expertise at the board level or absence of a dedicated CISO. The SEC’s rules underscore a need for a clear governance structure around cybersecurity. Cyber roles and responsibilities should be clearly defined with accountability at all levels.
Looking ahead, companies should seek to strike the balance between avoiding highly generic or boilerplate language and explicitly describing precise vulnerabilities or details around their cybersecurity strategies that could enable threat actors to breach defenses and extort businesses. Although challenging, it is crucial for companies to provide sufficient information to the SEC around their cybersecurity preparations to minimize noncompliance penalties like lawsuits or investigations that could cause financial or reputational harm. In response to these regulatory expectations, companies should continue to invest in their cybersecurity defenses and build expertise across their internal teams. This not only supports compliance with the SEC’s rules, but also demonstrates a proactive stance in protecting stakeholder interests. Board directors should ensure that their companies are investing appropriately in cybersecurity infrastructure and personnel, and that these investments are reflected in their disclosures— balancing transparency with discretion. A proactive approach will not only help comply with new regulations but also safeguard the company against increasing cyber threats.
See other Nasdaq Insights from the Nasdaq Center for Board Excellence here.
