Navigating the SEC Cyber Incident Disclosure Rule, How It Impacts Healthcare

September 21, 2023 - Under the Securities and Exchange Commission’s (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, publicly traded companies now are required to disclose cyber incidents without delay.

Finalized in July 2023 with a 3-2 vote and effective September 5, 2023, the rule provides a uniform standard for breach disclosures for publicly traded companies, replacing the previously varied patchwork of disclosure requirements. While the rule will not apply to privately held healthcare organizations, it will impact public entities in the healthcare space, as well as many vendors that the healthcare sector relies upon.

“How many of us from the hospital perspective have vendors or suppliers that are publicly traded?” Lee Kim, attorney and senior principal of cybersecurity and privacy at HIMSS, said in an interview with HealthITSecurity.  

“I'm certain that we'd want to know if one of our suppliers or vendors was breached. In that case, I would say even if this rule doesn't apply to you, it's a very interesting development.”

Specifically, the rule requires publicly traded companies (those subject to reporting requirements under the Securities Exchange Act of 1934) to disclose material cybersecurity incidents via Form 8-K in EDGAR, the publicly accessible SEC filing platform, within four days of determining the materiality of the incident.

In other words, upon discovering a cybersecurity incident, companies must determine the significance to shareholders and be able to describe the nature, scope, timing, and likely impact of the incident, all within four business days.

The only exception to this rule would be if the US Attorney General deems the incident to be a risk to national security, a rare instance that would extend the timeline.

The rigid timeline was criticized by some stakeholders during the proposed rule’s comment period, with some commenters suggesting that the deadline would lead to the disclosure of unclear or inaccurate information. Others feared that the quick turnaround would lead to “false positives,” or incidents that appeared to be material at first glance but later were determined not to be significant.

The SEC’s final rule doubled down on its stance, indicating that these disclosure mechanisms will improve transparency:

“Overall, we remain persuaded that, as detailed in the Proposing Release: under-disclosure regarding cybersecurity persists despite the Commission’s prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal Government, including those developments subsequent to the issuance of the Proposing Release such as CIRCIA and the Quantum Computing Cybersecurity Preparedness Act, while serving related purposes, will not effectuate the level of public cybersecurity disclosure needed by investors in public companies,” the final rule states.

The SEC has deemed that it is in the best interest of all parties to require a consistent disclosure process for all publicly traded companies. As such, entities will have to get accustomed to the rigid timeline.

“The bottom line is having four business days for a lot of businesses is a pretty tight timeline because they aren't really used to that,” Kim noted. “Under the HIPAA Breach Notification Rule, it's not nearly as stringent. So that's going to be a change in terms of having your ducks in a row.”

Kim suggested that as soon as the security team deems the incident to be material, they should activate governance mechanisms and get key stakeholders involved in the disclosure, recovery, and response processes.

“One major element of the SEC disclosure rule is regarding management as well as oversight,” Kim added, emphasizing the importance of interdepartmental communication. “We’re in a stage where these different departments absolutely need to be talking to each other.”

Communication is especially crucial due to the rule’s additional requirement of periodic disclosures about a company’s processes for assessing, identifying, and managing material cyber risks. Registrants must describe in detail the board’s oversight of cyber risk and management’s role in assessing cyber threats.

These periodic disclosures will be publicly available in EDGAR, which could aid healthcare organizations in assessing vendor risk, Kim suggested.

“If you are working with vendors or if you catch news about a certain vendor possibly being breached, or if you're even trying to vet a supplier or vendor, maybe go to the SEC website and see what their filings have been as to their annual report that mentions their cyber strategy,” Kim recommended.

Entities subject to the rule will need to include the new disclosures in annual reports for fiscal years ending on or after December 15, 2023. For public healthcare organizations, that means that they will have to comply with SEC disclosure rules as well as any other regulations that may apply, such as the HIPAA Breach Notification Rule or the Federal Trade Commission’s (FTC) Health Breach Notification Rule.

For private healthcare entities, this development may provide additional information about vendor security practices.

When it comes to penalties and enforcement actions under this rule, Kim said she “would be very surprised if there were none.”

As the compliance deadline approaches, companies are already working to meet the SEC’s requirements in a timely and effective manner.

“It is going to be a wake-up call for organizations to take cyber way more seriously,” Kim added, hinting at a long road ahead for both SEC registrants and regulators.