The Securities and Exchange Commission (SEC) implemented new, stricter and more comprehensive rules related to cybersecurity risk management, strategy, governance and incident disclosure that took effect in mid-December 2023. The SEC approved the new rule to help enterprises (and comparable private foreign issuers) ensure prompt and accurate incident reporting and improve transparency for company stakeholders. While these rules may present challenges for some companies, they also provide an opportunity to strengthen cybersecurity practices, enhance data protection and improve transparency, which can ultimately lead to increased investor confidence and business resilience.
Enterprises Struggling To Understand and Comply With the Recent Change
Since the enforcement of these new rules, executive leadership teams, boards, CFOs, General Counsels, financial reporting processionals and cybersecurity leaders have found it challenging to meet the requirements, much less fully understand them. While organizations are very well versed in the concept of materiality when it comes to financial statement presentation and reporting, it appears they are much less familiar with understanding and reporting on cybersecurity incident materiality, which goes above and beyond the reporting standard for financial statement materiality.
Reporting requirements can be particularly daunting for smaller public entities, which may lack the resources or expertise to fully develop, implement and test their cybersecurity incident response programs, define maturity levels and perform real-time cybersecurity impact analyses.
Despite these challenges, the SEC has made it clear that, regardless of the internal capabilities of the entity, these rules need to be taken seriously. Non-compliance can result in significant fines, penalties, or other legal actions and potentially, as has happened, required visits to Washington D.C. to meet with the SEC. Failure to disclose material cybersecurity events can lead to fines of up to $25 million or other disruptive legal actions like cease-and-desist orders. More importantly, there is the potential for reputational damage and lack of confidence from company investors and shareholders, which can have long-term negative effects on the company’s financial health and market value.
Meeting the Cybersecurity Incident Response Challenge
Review and Upgrade Your Existing Incident Response Program
The SEC now requires mandatory filing of Form 8-K for reporting material cybersecurity incidents to the SEC within four days of determining that an incident is material. That means significant changes and upgrades will need to be made to the organizational cybersecurity incident response plan for many companies.
The recommended first step is for boards and executive leadership teams to quickly assess the current state of the company’s incident response program and its supporting policies, procedures and standards to determine alignment with SEC cybersecurity standards.
Cybersecurity leaders need to work collaboratively with many executive leadership team (ELT) members, board of director members and many others in the organization, such as legal, internal audit and financial reporting. Good collaboration between these members is crucial to ensure that there is a clear incident response assessment and reporting chain — from anomaly identification, escalation parameters and all the way up to the ELT and board, if necessary.
Consider embedding the following key changes and additions into your incident response program:
- Develop guardrails and expectations that enable cybersecurity leadership to quickly communicate the potential for a material incident to the executive leadership team, financial reporting team, legal and board members.
- Include a documented “early alert warning” system that can be utilized during the anomaly intake and assessment process.
- Create clearly defined (but simple) escalation decisioning matrices and parameters that provide guidance for everyone at the organization involved in the incident response process. This guidance should drive and define the who, why, what and how different individuals and areas of the organization will be involved in the process, depending on the nature of the cybersecurity incident.
- Define clear pathways in escalation decisioning for incident reporting to finance teams, legal teams, board oversight leaders and potentially, external auditors.
- Develop and define clear incident impact assessment processes and cyber incident materiality determination processes within an incident response policy.
- Determine when the entire set of incident response policies, procedures and standards should be presented to and approved by the board.
Develop a Standard Incident Impact Assessment Process for Your Organization
Most Form 8-K filings to date are non-compliant with the new SEC disclosure rules, and some organizations are getting unwanted attention from the SEC regarding those filings.
What is clear is that filings are falling short of describing material impacts or reasonably likely material impacts of the cybersecurity incident. This indicates that there is a lack of a formal, informed and deliberative process in place for assessing the impact of a cybersecurity incident for many companies.
There are many ways of determining cybersecurity incident impact. However, it is recommended that an analysis be performed using a two-pronged approach espoused by the Digital Directors Network BRFO™ model, which includes assessing and understanding the following:
- Impacts to:
- Data
- Information architecture
- Risk communications
- Emerging technology
- Cybersecurity
- Third parties
- IT operations
- Regulatory considerations
- Quantitative impacts to the income statement, balance sheet and cash flow statements
- Qualitative impacts to brand reputation, national security, competitiveness, public safety, human safety, litigation or regulatory actions
- Stakeholder impacts to key shareholders, employees or directors, customers, community, suppliers and others connected to the organization
Determine Materiality
Determining materiality can be complex and should not be solely the responsibility of any one person. Materiality determinations should involve the CFO, CISO, General Counsel and technology leaders. A general framework for materiality should be created that is specific to the organization and provides guidance for what is and what is not a material cybersecurity incident.
The that consideration of materiality should be consistent with case law addressing materiality and that an issue is material when:
- There is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or
- It would have significantly altered the total mix of information made available to a reasonable investor in making an investment decision
If either of those points apply, then material aspects are disclosable within four business days on Form 8-K, unless the disclosure could potentially impact national security, in which case the federal law enforcement should be contacted.
If the points do not apply, then the incident is not disclosable. This doesn’t mean that the incident may not be disclosable in the future if new information arises. It merely means that the incident investigation and response process should continue.
Two factors may complicate the consideration of materiality and reporting. First, the company must determine if the incident is considered singularly or if there are related incidents in aggregate. As well, materiality consideration is not dependent on who “owns” the compromised system. The SEC has made it clear that if they utilize service providers, they are responsible for material impacts to those service providers. As such, companies are not exempt from disclosing cybersecurity incidents on the third-party systems they utilize.
Standards To Ensure Proper Incident Disclosure
As we know, even after a perfunctory review of most cybersecurity-related 8-Ks to date, filings are falling short in properly describing material impacts or reasonably likely material impacts of the cybersecurity incident. In addition, many companies are choosing to disclose a cybersecurity incident for which a materiality determination has not been made.
The SEC requirements are clear, however, that the 8-K should describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact. The SEC is also clear on materiality determination.
It’s not hard to find, in the public domain, company responses to SEC letters regarding poorly documented cybersecurity incidents. It’s in these letters that you can typically find SEC statements directed to a company regarding the quality of their Form 8-K Disclosure. By reviewing these letters, organizations can develop standards for what a proper incident disclosure includes or does not include.
Perform Annual Tabletop Testing
Once incident response policies, procedures and standards are approved by the board of directors, annual IRP assessments and tabletop testing should be performed that incorporates SEC-guided changes and modifications.
In many regulated industries or where there is an elevated level of compliance driven efforts, this is already required. The key to success here is to make an active effort to perform a tabletop test which tests the effectiveness of a material public reportable cybersecurity event.
Make sure the board has enough visibility to effectively sign off on annual reviews and tabletop test results. Develop a standard reporting and delivery format for documenting IRP test results, and for making necessary adjustments.
How Cherry Bekaert Can Be Your Guide Forward
Cherry Bekaert’s Information Assurance & Cybersecurity practice can provide guidance for public companies and enterprises as they navigate these disclosure rule requirements. Our professionals can help you gain a clear understanding of what the new disclosure rules are, what they mean for you and how you can achieve full compliance while also protecting your company from cyber threats.