US SEC Cyber Reporting: Global Impact on Non-US Companies.
Public companies in the USA need to report “material” cybersecurity breaches or incidents within four days under rules that took effect on 18 December 2023. Those working for Asian and other non-US public companies may be unaware of the potential effects this could have on them as well.
New Reporting Rules Now in Effect
The new rules require that US public companies report to the SEC using an 8-K filing within 96 hours
of determining that a cybersecurity breach or incident has a material impact on their business. A cybersecurity incident is defined as “an unauthorised occurrence, or a series of related unauthorised occurrences, on or conducted through a registrant’s information systems that jeopardises the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
Once the breach is considered material then the company must “… describe the material aspects of
[the incident’s]:
- Nature, scope and timing, and
- The material impact or reasonably likely material impact … including its financial conditions and results of operations.”
Organisations can request an extension to the 96-hour reporting timeframe, especially if alerting shareholders would pose a substantial risk to national security or public safety. Note though that this delay (initially 30 days) is only possible if the “… Attorney General determines that the disclosure poses
a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”
Failure to report in the time frame can result in “… financial penalties, legal liabilities, reputational damage, loss of investor confidence and regulatory scrutiny …” Safi Raza, senior director of cybersecurity at Fusion Risk Management, told TechCrunch. The SEC has already imposed multi-million dollar penalties for cybersecurity concerns under existing rules so companies should expect the SEC to be similarly serious about this reporting.
This SEC reporting policy applies to all registrant companies, irrespective of size; however, smaller companies (public float less than $250 million or less than $100 million in annual revenue) have a 180-day extension beyond December 2023 to come into compliance.
Materiality
The SEC uses a common definition of materiality for reporting incidents and for reporting on managing cybersecurity risk and governance. The key consideration is the view of the investor: if a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the toral mix of information made available then it would be material.
Materiality must be determined by the company based on its business and operations. Materiality may be a function of (not all inclusive):
- The volume and kind of data (especially if personally identifiable information, PII, is involved)
- The number of customers affected.
- The cost of the disruption to the business, especially in relation to the size of the business.
- Whether ransom payments are involved and amount of those.
The company must be able to show that it has a governance framework and process for assessing the risk and determining materiality, and that the way it has made a determination for a breach is reasonable for the nature and specifics of the company. The SEC was specific that “… materiality turns on how a reasonable investor would consider the incident’s impact on the registrant [company].”
Ruling Affects Third Parties Providers to These Public Companies
Since the ruling states that these US public companies are responsible for the impact of their third party providers on their operations, then even private companies and non-US companies will be affected. And US public companies with operations in Asia are likely to use third party providers in Asia that could impact their operations, thus exposing Asian companies to these requirements.
Ruling Affects Third Parties Providers to These Public Companies
The breadth of the SEC reporting requirements and its inclusion of both third parties and FPIs means more non-US public companies will be affected. More non-US public companies operating outside the US but providing third party services to the US public companies will need to understand their process and management and board oversight of the risks from cybersecurity threats in sufficient detail to contribute to the process and risk assessment and management of the US public company. Even small companies in Asia that wish to provide services to these US public companies could find themselves more involved in third party security risk assessments and in greater detail than in the past. And the requirement will go beyond the assessment itself and into the operations and the incident reporting of those small companies and their interfaces into the public US companies.
Third-Party Cybersecurity Risk
The SEC document mentions the selection and oversight of third-party entities and the comments received during the consideration period. The resulting rule requires registrants to state whether they have processes for overseeing and identifying material risks from cybersecurity threats associated with their use of third party service providers. This naturally imposes a requirement on the third parties that they be in a position to explain their cybersecurity operations and management in sufficient detail for the US public company to consider this in their risk assessment. And it means that the third party must be able to explain its means for communicating incidents and their effect on the public company.
Interestingly, in explaining its own process for determining the risk from cybersecurity threats the US public company must explain whether it engages assessors, consultants, auditors or other third parties involved in the process. The SEC believes that investors need to know the level of in-house versus outsourced cybersecurity capacity; the company need not disclose the specific services and third parties.
What’s Needed
Non-public and non-US companies serving US public organisations will increasingly need not just to have effective cybersecurity but also to understand the effect of a cybersecurity incident on their operations and potential operational impact on their clients. Their clients will need to understand the way the service is being used and impact to that service so that the client can determine the impact on its own operations.
More companies need to deal with what have traditionally been less addressed aspects of cybersecurity – the processes involved, the determination of risk and the planning for incident impact and resolution. This means even non-US public companies need to be able to have the technical protections in place along with the processes to determine when an incident or breach occurs, its impact, and what to do about it internally and through communication with clients and other third parties.
Principal Sources:
- Securities and Exchange Commission; “Cybersecurity Risk Management, Strategy, Governance, and Incidence Disclosure”; Release No. 33-11216.
- “As the SEC’s new data breach disclosure rule takes effect, here’s what you need to know”; TechCrunch, Carly Page, December 18, 2023; https://techcrunch.com/2023/12/18/new-sec-data-breach-disclosure-rules/