SEC Mandates Tightened Cybersecurity Disclosures: Navigating Rules, Risks, and Supply Chain Imperatives in the Wake of SolarWinds Case

The U.S. Securities and Exchange Commission (SEC) has implemented rules compelling public companies to enhance disclosure of material cybersecurity incidents, risk management strategies, and governance, according to an article by BlankRome. The recent SEC charges against SolarWinds and its Chief Information Security Officer (CISO) for alleged fraud and internal control failures highlight the criticality of cybersecurity as a broader business issue. The complaint alleges SolarWinds misled investors about its cybersecurity practices and failed to disclose known risks, violating securities acts.

Companies face imminent disclosure deadlines. Material cybersecurity incidents require disclosure in Form 8-K within four business days, effective December 18, 2023, except for smaller reporting companies, which comply by June 15, 2024. Cybersecurity risk management details must be included in Annual Reports on Form 10-K or Form 20-F for fiscal years ending on or after December 15, 2023.

To comply, companies must establish disclosure controls for timely reporting and ensure effective internal controls over financial reporting. The SEC accused SolarWinds’ CISO of violating disclosure controls and failing to address cybersecurity risks, hindering the company’s ability to protect its assets adequately.

Companies are urged to refine cybersecurity risk management processes, detailing assessments, identification, and mitigation of threats. Annual reports should disclose how cybersecurity risks affect business strategy, financial condition, and operations. Governance structures must be detailed, explaining board oversight and management’s role in handling cybersecurity risks.

Developing templates for cybersecurity disclosures is advised, striking a balance between transparency and not revealing exploitable weaknesses. The SEC criticized SolarWinds for disclosing generic risks while knowing specific vulnerabilities.

Supply chain cybersecurity is emphasized, requiring disclosure mandates to flow down to suppliers, ensuring communication, transparency, and collaboration on cybersecurity risks. Contracts may demand representations of suppliers’ cyber maturity and provide for contract termination in case of noncompliance-induced cyber incidents.

Companies must take immediate action to comply with SEC rules by establishing robust cybersecurity practices, enhancing disclosures, and fortifying supply chain resilience. The SolarWinds case serves as a stark reminder that cybersecurity is a business imperative demanding proactive attention from company leaders.