SEC Cyber Rules

In July 2023, the Securities and Exchange Commission (SEC) adopted new cybersecurity rules that require public companies to disclose material cybersecurity incidents and annually disclose material information regarding their cybersecurity risk management, strategy and governance practices.  The SEC’s goal when adopting the new rules was to increase transparency with respect to cybersecurity risk and provide investors with relevant information on which they could make reasonably informed decisions.

How does this new rule impact Proofpoint customers?

The rules require public companies take proactive measures to address cybersecurity incidents and implement cybersecurity risk management processes as part of their long-term strategies.  As your partner in security, we encourage you to review your policies, procedures, and governance documents as well as your overall security strategies to ensure your organization, employees, and investors are protected. Proofpoint’s broad portfolio of security and risk management products and services help its customers establish risk management and intelligent compliance strategies for email protection, data loss prevention, identity threat defense, data archiving, and e-discovery.

What is a “cybersecurity incident”?

Defined by §229.106(a) [Item 106(a) of Regulation S-K], “cybersecurity incident” is “any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.”

What must be disclosed?

Disclosure of cybersecurity incidents (Periodic disclosure - Form 8-K, Item 1.05, see: https://www.sec.gov/files/form8-k.pdf)

• Registrants must report “material” aspects of the nature, scope and timing of the cybersecurity incident.
• The disclosure should describe material impact or the reasonably likely material impact of the cybersecurity incident on the registrant.
• Reporting must generally occur within 4 business days once registrant determines incident is material. An exception to the 4-day disclosure may be granted if the incident is determined by the US Department of Justice to be in the interest of national security or public safety.
• Determination of materiality must be made without “unreasonable delay” after the discovery of the incident.
• Registrants are not required to disclose specific or technical information about their planned response to an incident or their cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

Disclosure of cybersecurity risk management, and strategy (Annual disclosure – 10-K, Regulation S-K Item 106(b), see: https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.100/section-229.106)

• Registrant must disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats including:
  • How the processes have been integrated into the registrant’s risk management system or processes;
  • Whether registrant engages assessors, consultants, auditors, or other third parties in connection with the processes; and
  • Does the registrant have processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
• Describe whether any risks from cybersecurity threats, including those resulting from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including business strategy, results of operations, or financial condition, and if so, how.

Disclosure of cybersecurity governance (Annual disclosure – 10-K, Regulation S-K Item 106(c) https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.100/section-229.106)

• Describe the board of directors’ oversight of risks from cyber threats. 
• Identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and the processes by which the board or such committee is informed of such risks.
• Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. The registrant should address, as applicable:
  • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
  • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
  • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors. 

What is considered “material” when determining if disclosure is required?

The registrant determines materiality by evaluating whether a reasonable shareholder would consider the information important in deciding how to vote or make investment decisions.

When are companies expected to comply with the new rules?

All registrants (other than smaller reporting companies) were to comply with Form 8-K Item 1.05 and Form 6-K in December 2023. Smaller reporting companies have until June 2024. Other reporting requirements may apply. Please reach out to your attorney with respect to your compliance with the rules. 

Please visit Proofpoint.com for additional information on how Proofpoint’s products and services can help protect your company from cyber threats.