What does the SEC cybersecurity disclosure rule require companies to report?

Cyber attacks that disrupt a company’s business must now be reported under a rule which went into effect last week. The stated goal of the rule is to inform potential investors of a company’s cybersecurity and what it’s spending to prevent attacks.

An unmentioned benefit of the Securities and Exchange Commission (SEC) cybersecurity disclosure rule: Other companies may learn valuable info regarding what their competitors are doing right or wrong to prevent hacks and ransomware attacks on company and customer data. The SEC will be sure to share statistics as well as companies’ success stories (with the companies’ names and locations redacted) starting sometime next year.

The SEC rule, which went into effect on September 5, requires registered, publicly traded companies to report “material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.” The rule also applies to foreign private issuers.

A material incident doesn’t necessarily mean a significant financial loss or theft of customers’ data. For example, a breach that requires IT/IS staffers to respond immediately and spend hours or days repairing would qualify as an event the SEC expects to be reported. The best advice for companies is to disclose any cyber attack that requires a significant amount of extra work (or outside help) to fix.

In addition to incidents, a new regulation – S-K Item 106 – requires reporting of processes for “assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” The SEC also wants to know what a company’s board of directors is doing to address cybersecurity. Disclosures must be made on Form 10-K for a registrant’s annual report.

Companies are spending but attackers keep changing tactics

By now we’ve all heard the same warning from the feds and security firms: Ransomware attacks are on the rise. Companies are at greater risk than ever before, particularly as foreign hackers take aim at vulnerable systems.

Take the widespread foreign attack on MGM Resorts in Las Vegas, for example. Malicious hackers took aim at MGM’s wide-ranging network. Customers’ hotel key cards wouldn’t work. Neither would slot machines and other electronic games.

So far MGM hasn’t received a ransom demand from the hackers. The company was forced to shut down all of its hotels and casinos. This is the second major cyber attack on MGM – a similar incident in 2019 led to financial losses and interruption of normal business.