Based on the NIST Risk Management Framework and Incident Handling Guide. See the blog post for additional background and information.
You can also access a Google Spreadsheet version online.
This checklist outlines key steps for handling material cybersecurity incidents that may require disclosure under Item 1.05 of Form 8-K, aligned with the NIST Risk Management Framework (RMF) and NIST Computer Security Incident Handling Guide.
Prepare: Essential activities to prepare the organization to manage security and privacy risks
| Step | Action | SEC Final Rule Consideration |
|---|---|---|
| 1.0 | Evaluate whether an unauthorized or accidental cybersecurity incident has occurred in an information system owned or utilized by the SEC registrant. | The final amendments define a cybersecurity incident as an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. |
| 1.1 | Identify and assess the material nature of cybersecurity incident(s). | The definition of materiality relates to whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision, or whether it would have significantly altered the ’total mix’ of information made available. |
| 1.2 | Assess the qualitative and quantitative impacts across all stakeholders. | A number of factors regarding the nature and scope of the incident could bear on materiality in a given case, including: Any material effect of the incident on the registrant’s operations and financial condition; Any potential material future impacts on the registrant’s operations and financial condition; Whether the registrant has remediated or is currently remediating the incident; and Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes. |
Categorize: Categorize the system and information processed, stored, and transmitted based on an impact analysis
Select: Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
| Step | Action | SEC Final Rule Consideration |
|---|---|---|
| 2.0 | Determine the necessary ‘total mix’ of information for a reasonable investor to assess the extent of the cybersecurity incident by the affected SEC registrant. | The definition of materiality relates to whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision, or whether it would have significantly altered the ’total mix’ of information made available. |
| 2.1 | Incident Classification: Categorize the incident based on type, impact, and affected systems/data. | Determine whether any data were stolen, altered, accessed, or used for any other unauthorized purpose; The effect of the incident on the registrant’s operations; And whether the registrant has remediated or is currently remediating the incident. |
| 2.2 | Preliminary Risk Assessment: Evaluate the potential severity and stakeholder impact based on the classified incident. | When the incident was discovered and whether it is ongoing; A brief description of the nature and scope of the incident; |
| 2.3 | Impacted Business Processes and Services: Identify internal and external business functions affected by the incident. | Final rules require disclosure of whether a registrant engages assessors, consultants, auditors, or other third parties in connection with their cybersecurity. Independent third-party advisors may be “vital to enhancing cyber resiliency” by validating that the risk management program is meeting its objectives. |
| 2.4 | Data Impact Assessment: Analyze the type, volume, and nature of data compromised or impaired. | Determine whether any data were stolen, altered, accessed, or used for any other unauthorized purpose; |
| 2.5 | Control Effectiveness Evaluation: Assess the effectiveness of existing controls (NIST SP 800-53) relevant to the cybersecurity program (NIST SP 1271) in preventing or mitigating the incident. | Adhering to normal internal practices and disclosure controls and procedures will suffice to demonstrate good faith compliance. |
| 2.6 | Business Continuity and Recovery Plans: Evaluate the effectiveness of existing plans in responding to and recovering from the incident. | The effect of the incident on the registrant’s operation; and whether the registrant has remediated or is currently remediating the incident. |
| 2.7 | Communication Needs Assessment: Determine necessary internal and external communications to address brand and operational risks. | When a registrant experiences a data breach, it should consider both theimmediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis. |
| 2.8 | Emerging Technology Impact: Analyze how emerging technologies and digital transformation efforts influence the evolving risk profile of the incident. | Any material effect of the incident on the registrant’s operations and financial condition; Any potential material future impacts on the registrant’s operations and financial condition; |
| 2.9 | Supply Chain and Partner Impact: Assess the impact on third-party vendors and business partners. | Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider. |
| 2.10 | External Regulation Analysis: Identify potential legal and financial repercussions arising from the incident, including fines, penalties, litigation, and service level agreement (SLA) breaches. | Whether the registrant has remediated or is currently remediating the incident; and Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes. |
Implement: Implement the controls and document how controls are deployed
Assess: Assess to determine if the controls are in place, operating as intended, and producing the desired results
| Step | Action | SEC Final Rule Consideration |
|---|---|---|
| 3.0 | Identify and estimate quantitative impacts (e.g.income statement, balance sheet, and statement of cash flows) | Regulation S–K ‘‘Item 303’’ Management’s discussion and analysis of financial condition and results of operations |
| 3.1 | Analyze any potential loss of revenue due to business disruption and customer churn. | |
| 3.2 | Estimate the increased costs associated with incident response (forensics, investigation, remediation). | |
| 3.3 | Project any impact on profitability considering changes in revenue and expenses. | |
| 3.4 | Evaluate for potential losses in assets (cash, intangibles) and potential increases in liabilities (legal, contingent). | |
| 3.5 | Assess the impact on cash flow due to disrupted operations and increased expenses. | |
| 3.6 | Review any potential fines from regulatory bodies. | |
| 3.7 | Estimate any legal fees and recovery costs (data restoration, security improvements). | |
| 4.0 | Identify and describe qualitative impacts | The rule’s inclusion of ‘‘financial condition and results of operations’’ is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. |
| 4.1 | Evaluate the damage to brand reputation, market competitiveness, and customer/vendor relationships. | |
| 4.2 | Assess the likelihood of regulatory investigations, legal actions, and potential data privacy concerns. | |
| 4.3 | Analyze the broader social and environmental impacts (if applicable) | |
| 4.4 | Determine the impacts to national security and public safety | |
| 5.0 | Associate corresponding stakeholder impacts | The parties that are likely to be affected by the final rules include investors, registrants, other market participants that use the information provided in company filings (such as financial analysts, investment advisers, and portfolio managers), and external stakeholders such as consumers and other companies in the same industry as affected companies. |
| 5.1 | Shareholders and Investors: The incident may negatively impact the organization’s share price due to reputational damage and potential lawsuits. | |
| 5.2 | Business Partners: Operational disruption caused by the incident may lead to potential breaches of contractual agreements with business partners. | |
| 5.3 | Customers: Data exposure can negatively impact customers, potentially resulting in consequences such as identity theft or financial loss. | |
| 5.4 | Employees: Depending on the severity of the operational impact, the incident could lead to job losses or necessitate additional training for affected employees. | |
| 5.5 | Community and Government (if broader impact): In situations with a wider societal impact, the organization may need to engage with the community and relevant government bodies to address potential consequences. |
Authorize: Senior official makes a risk-based decision to authorize the system (to operate)
Monitor: Continuously monitor control implementation and risks to the system
| Step | Action | SEC Final Rule Consideration |
|---|---|---|
| 6.0 | Determine whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision. | The definition of materiality relates to whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision, or whether it would have significantly altered the ’total mix’ of information made available. |
| 6.1 | Determine if the information significantly alters the total mix of information made available to a reasonable investor in making an investment decision | |
| 7.0 | Report the incident to relevant internal stakeholders (e.g., management, legal) following internal escalation procedures. | The final rules will require registrants to disclose material cybersecurity incidents on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. |
| 7.1 | Evaluate the potential materiality of the incident based on SEC guidance and legal counsel. | |
| 7.2 | If deemed material, prepare and submit a public disclosure via Form 8-K Item 1.05 outlining the incident details, response actions, and potential impact. | |
| 7.3 | Conduct a post-incident review to identify lessons learned, improve existing IR procedures, and update controls. | |
| 7.4 | Continuously monitor the security environment, identify new threats, and update controls to prevent future incidents. | |
| 8.0 | Disclose material nature of cybersecurity incident(s) within 4 business days on Form 8-K | A registrant that fails to disclose a material cybersecurity incident in a timely manner would not be able to rely on this alternative reporting provision and could face SEC enforcement action for violation of the applicable disclosure requirements. Additionally, under the final rules, a registrant will not be able to rely on this alternative reporting provision if the registrant does not first make a contemporaneous submission to the Department of Justice or other appropriate law enforcement authority detailing the material cybersecurity incident. |
| 8.1 | Initial Delay: A delay of up to 30 days may be requested from the SEC after the initial 4-day window, subject to Department of Justice (DOJ) review and approval. | |
| 8.2 | Secondary Delay: An additional 30-day extension can be granted if the investigation and assessment require further time. | |
| 8.3 | Extraordinary Circumstances: In exceptional cases, a final 60-day extension may be possible. This requires the U.S. Attorney General to demonstrate compelling reasons for the delay through an official request to the SEC. | |
| 8.4 | SEC Exemptive Order: If the Attorney General deems further delay necessary, the SEC may grant an exemptive order allowing for an extended delay beyond the 90-day window. | |
| 9.0 | Disclose cybersecurity incident(s) material qualitative and quantitative details and impacts on Form 8-K | A registrant would need to disclose on Form 8-K information sufficient to provide material details regarding the nature and scope of any material cybersecurity incident being disclosed, any material impact or reasonably likely material impact on the registrant’s operations and financial condition, and any potential material future impacts on the registrant’s operations and financial condition. |