FINRA Cybersecurity Advisory - SEC Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Exchange Act Release No. 97989)

Impact: SEC Reporting Companies

The Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program is highlighting the new SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure that were adopted on July 26, 2023.1 The SEC adopted final rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy and governance in annual reports.

While the new rules apply to SEC reporting companies (i.e., “public companies”) and, therefore, only impact member firms that are public companies, FINRA recommends that all member firms review the rules as a guide to help ensure their cybersecurity risks are appropriately identified, assessed and managed, regardless of whether a member firm is subject to the new rules’ requirements. These rules are distinct from the SEC’s proposed Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents,2 which is still pending adoption.

The SEC rules include, but are not limited to, requirements for public reporting companies to:

  • Disclose all material3 cybersecurity incidents on Form 8-K within four business days. The four-day timeframe for reporting starts once materiality of the cybersecurity incident is determined.
  • Describe their process, if any, used to identify, assess and manage material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition, including:
    • Whether and how cybersecurity processes have been integrated into overall risk management system or processes;
    • Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
    • Whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
  • Describe the board’s oversight of cybersecurity risks, as well as management’s role in assessing and managing material risks from cybersecurity threats.

The final rules became effective on September 5, 2023, with varying compliance dates depending on the specific disclosure and size of reporting company.4

FINRA member firms are encouraged to review the SEC disclosure rules for public companies. General guidance for members on cybersecurity issues can be found in the Cybersecurity and Technological Governance section of the 2023 Report on FINRA’s Examination and Risk Monitoring Program.

Questions related to this Advisory or other cybersecurity topics can be emailed to the CAU.

1 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release No. 97989 (July 26, 2023), 88 FR 51896 (Aug. 4, 2023) (“Cybersecurity Disclosure Release”).

2 Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Release No. 97142 (Mar. 15, 2023), 88 FR 20212 (Apr. 5, 2023).

3 The SEC notes that “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have ‘significantly altered the “total mix” of information made available.’ ‘Doubts as to the critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors.” Cybersecurity Disclosure Release, 88 FR at 51900 (internal citations omitted).

4 For a full description of the compliance dates, see Cybersecurity Disclosure Release, 88 FR at 51924-25.