Help Me Understand SEC's Incident Disclosure Rule Changes

Help Me Understand SEC's Incident Disclosure Rule Changes

Edward Kost
Edward Kost
updated May 12, 2022

On March 9, 2022, the Securities and Exchange Commission (SEC) announced proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. These proposed amendments impact all public companies subject to the reporting requirements of the Security Exchange Act of 1934.

To summarize this proposal and learn how to successfully prepare for them, read on.

What’s the Primary Objective of this Proposal? 

This proposal aims to fill the gap between investors and the security risk management efforts of public issuers. Cybercrime is growing in prevalence, and supply chain attacks introduce additional complexities to the already intricate field of data breach prevention. 

To address investor concerns about public issuer safety, SEC proposes to mandate a wide range of cybersecurity disclosures between public suppliers and investors. This amended notification standard will give investors greater awareness of the risk mitigation efforts of public suppliers and the effectiveness of these strategies.

With cyber threats encroaching from all directions, investors have a growing interest in the risk mitigation efforts of public suppliers and the effectiveness of these efforts. 

“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting."

- Gary Gensler, SEC chair

Submitting Public Comments

The Security and Exchange Commission published these proposed amendments on March 9, 2022. The proposal is open for public comment for 60 days following this date or for 30 days following publication in the Federal Register, whichever is longer.

Public comments are an opportunity to share any concerns or suggestions about SEC’s proposed amendments. Comments can be submitted through this link.

A Summary of the Proposed Amendments

The proposed amendments aim to achieve consistent incident disclosure practices between registrants and investors in two areas:

  • Security incident reporting 
  • Risk management, strategy, and governance reporting.

With improvised incident reporting and deeper visibility into each registrant’s risk management practices, investors can make informed decisions about the viability of new and prospective public supplier relationships. 

Incident Disclosure Proposed Amendments

The SEC proposes to widen the scope of events triggering incident disclosure to investors. These proposed amendments will impact Form 8-K, Form 6-K, Form 20-F, and Regulation S-K.

Amendments to Form 8-K

Companies advising shareholders of a major incident must file form 8-K (the “Current Report”) to the SEC.

Currently, four categories of events trigger a public company’s obligation to file Form 8-K under Section 1 - Registrant’s Business and Operations.

Current item list under registrant's business and operations category

 SEC proposes to add a 5th trigger to the Registrant’s Business and Operations category, item 1.05 - Material Cybersecurity Incidents.

Proposed item 1.05 under registrant's business and operations category
A cybersecurity incident is regarded as material if it has the potential of impacting a shareholder's investment decisions.

Material cybersecurity incidents could include the following:

  • Unintentional data exposures, also known as Data Leaks
  • Intentional sensitive data exposures caused by cybercriminals
  • Events compromising the integrity and availability of asset systems
  • Events disrupting business continuity
  • Sensitive data theft
  • Credential compromise potentially leading to loss or liability
  • Ransomware attacks, where cyber criminals demand a ransom payment in exchange for restored system access
  • Cybercriminals threatening to either sell or publicly disclose sensitive data.

Item 1.05 will require registrants to disclose the following details about a material cybersecurity incident within four days of its occurrence:

  • When the incident was discovered
  • Whether the incident was stopped or if it’s ongoing
  • A description of the incident
  • Known impacts on business operations
  • Details of any stolen or altered data
  • Details of any unauthorized data disclosures
  • Details of any remediation efforts.

It isn’t always possible to have the complete details of a cyber event in less than four days. Under the proposed addition of item 1.05, registrants will be required to delineate a material incident to the best of their knowledge when submitting Form 8-K.

Form 8-K can be accessed here.

A materiality classification is subjective as it depends on the perceived risk thresholds of each shareholder. Under the proposed addition of item 1.05, registrants will need to quickly determine when investors would classify an incident as material by considering the unique context of each cyber event.

Public suppliers should define risk thresholds shortly after establishing a new investor relationship to accelerate this process and ensure Form 8-K is submitted within the narrow four-day window.

Learn how to define risk thresholds.

How UpGuard Can Help

UpGuard helps public suppliers comply with SEC’s proposed incident disclosure amendments through a five-pillar framework.

upguard's 5 pillar framework for sec's proposed amendments

1. Fully Managed Data Leak Detection

UpGuard’s proprietary AI-powered data leak detection engine scans the dark web and surface web for exposures that could facilitate system compromise. To eliminate false positives, results are reviewed by expert analysts before being fed through remediation workflows.

The rapidity of data leak detection and remediation that’s possible with CyberResearch means security staff can address exposures before they're detected by cybercriminals, decreasing the potential for data breach events. 

Investors will find such an exemplary degree of cyber resilience very impressive as it will reduce the frequency of unfortunate incident disclosures.

Learn more about UpGuard’s data leak detection capabilities.

2. Third-Party Risk Management

UpGuard’s team of TPRM experts help public suppliers augment their vendor risk management efforts and rapidly scale security and regulatory compliance across the third-party network.

Learn more about UpGuard’s TPRM managed services.

3. Attack Surface Monitoring

UpGuard’s attack surface monitoring range is broad, starting from the internal network and extending to the third and even fourth-party network. Security vulnerabilities are detected based on the attributes of over 70 advanced attack vectors. By helping SEC registrants rapidly detect and remediate security vulnerabilities, UpGuard could prevent malware injections leading to ransomware attacks and supply chain attacks.

Learn more about UpGuard’s attack surface monitoring capabilities.

4. Vendor Tiering

UpGuard’s Vendor Tiering feature further reduces the potential of third-party breaches while also supporting an efficient distribution of remediation efforts.

With Vendor Tiering, public suppliers can rank their vendors by level of potential security posture impact. This organization method ensures that the most critical vendors receive the security attention required to prevent material cybersecurity incidents.

The video below summarizes Vendor Tiering and associated features supporting enhanced Vendor Risk management.

Learn more about Vendor Tiering.

5. Executive Reporting

The first three pillars of this framework minimize the need for incident disclosure by addressing all vulnerabilities facilitating system compromise. But when an incident disclosure is required, executive reports can be generated with a single button click. 

The following details are available to include in executive reports:

  • A list of all subsidiaries for a high-level overview of your entire organizational structure
  • Overall risk breakdown
  • Security rating distribution
  • Risk category breakdowns
  • Geolocation risk reports.

To support a case of exemplary security due diligence, compliance reports can also be instantly generated and exported in either excel or PDF format.

Amendments to Form 6-K

Foreign Private Issuers (FPIs) - any foreign issuer that isn’t a foreign government - are not required to file current reports via Form 8K. Disclosures are instead submitted via Form 6-K.

The SEC proposes to amend General Instruction B of Form 6-K to include cybersecurity incidents as a reporting topic. Reporting triggers will mirror the details outlined in proposed item 1.05 of Form 8-K.

Form 6-K can be accessed here.

Amendments to Form 20-F and Regulation S-K

Under the proposed amendments to Form 20-F and Regulation S-K, registrants will be required to: 

  • Update disclosures relating to previously disclosed cybersecurity incidents
  • Disclose when a series of previously undisclosed immaterial cybersecurity events become material, to the extent known by management.

These amendments will be reflected in items:

  • 106(d) of Regulation S-K
  • 16J(d) of Form 20-F.

Form 20-F can be accessed here.

Regulation S-K can be accessed here

Risk Management, Strategy and Governance Disclosure Proposed Amendments 

To support intelligent investment decisions, awareness of a public supplier’s security efforts must be continuous and not limited to disclosures following a cyber event.

The SEC aims to achieve this by standardizing enhanced disclosure of a registrant’s cybersecurity risk management, strategy, and governance. The proposal requires registrants to:

  • Disclose whether cybersecurity initiatives are included in business strategies, financial plans, and capital allocations
  • Describe its policies and procedures for managing risks associated with different cybersecurity threats
  • Disclose the board’s oversight of cybersecurity risks and management’s role and expertise in assessing and managing cybersecurity risk
  • Disclose the board’s oversight of cybersecurity risks and management’s role and expertise in implementing cybersecurity policies, procedures, and strategies.

The SEC also proposes disclosure regarding each board member's cybersecurity expertise. This amendment will be reflected in item 407 of Regulation S-K and Form 20-F.

If any board members have cybersecurity expertise, proposed item 407(j) of Regulation S-K and Form 20-F will require their names and expertise details to be disclosed in annual reports and certain proxy filings.

How UpGuard Can Help

UpGuard’s shared profile feature allows SEC registrants to share their security posture efforts and related security documentation with current and prospective investors.

Shared profile dashboard by UpGuard

By referencing completed security assessments in a registrant’s Shared Profile, investors can instantly evaluate risk management efforts and bypass the time-consuming process of requesting specific security posture details. This immediate feedback will help SEC registrants comply with the proposed amendments to risk management, strategy, and governance disclosures.

Public supplier customers of UpGuard have the option of including the following details in their Shared Profile:

  • Security Ratings - Security ratings quantify security postures based on 70+ attack vectors. Investors will also be able to compare a registrant’s security rating against industry standards. Learn more about security ratings here.  
  • Security Contact - Contact information for key team members responsible for risk management, strategy, and governance.
  • Company Description - A summary of an SEC registrant’s scope of services.
  • Security Questionnaires - Completed questionnaires commonly requested by current and prospective investors.
  • Supporting Documentation - Any security documentation that could influence investment decisions. These could include compliance certifications such as PCI DSS, SOC 2, ISO 27001, FedRAMP, etc.

See the video below for a summary of UpGuard’s Shared Profile feature:

UpGuard Can Help You Prepare for SEC’s Proposed Amendments

UpGuard’s suite of attack surface management features mitigates material incidents requiring disclosure while giving investors deep visibility into the cybersecurity performance of public suppliers.

Click here to try UpGuard for 7 days.


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape