The U.S. Securities and Exchange Commission’s new rules around disclosure of cybersecurity incidents go into effect on Dec. 15 for public companies with fiscal years starting on or after that date.
Publicly traded companies must annually report their processes for spotting, judging and mitigating cybersecurity threats. They are also to report the possible material effects of such threats, the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling cybersecurity threats.
In addition to the annual reports, starting on Dec. 18, all publicly traded companies must disclose material cybersecurity incidents to the SEC within four days if the incident is determined to be material. The disclosure must be made as Item 1.05 on SEC Form 8-K.
Drafting new disclosures and smoothing out the disclosure process
CISOs, CFOs and other business leaders can prepare for these rules going into effect by drafting new disclosures well before the end of the fiscal year so that all relevant employees have the chance to review them. IT, information security, legal, SEC reporting teams and external advisors should all be involved in creating and evaluating disclosure controls and procedures.
Many companies are already in the process of conducting readiness assessments, said Naj Adib, principal of cyber and strategic risk at Deloitte, in a phone interview with TechRepublic. Public companies are already used to filling out 8-K and 10-K disclosures for major events or new shares of stock, respectively. Now, those organizations are asking what they need to alter or enhance about their disclosure procedures, incident response and existing cyber capabilities.
SEE: Apple recommends users update their OS against two security vulnerabilities. (TechRepublic)Â
“Ultimately what’s changing is the orchestration between cyber and IT and the disclosure committee and the folks that do the disclosure,” Adib said.
The new rules add on to standard incident response processes. Now, “We need to take the results of those processes and escalate to a group of individuals that would be responsible for determining materiality,” Adib said. “That could be anybody on the disclosure committee, people that are part of legal counsel and the office of the corporate secretary, depending on the organization.”
Determining whether a cybersecurity incident is material
Determining whether an incident is material can be difficult, and the SEC doesn’t provide an exact definition. A material incident in securities law is generally considered an incident in which “there is a substantial likelihood that a reasonable shareholder would consider it important,” according to three legal cases cited by the SEC.
When determining whether an incident is material, disclosure committees should look at whether the organization is at risk of financial loss, a tarnished reputation, significant downtime or a loss of public confidence, Deloitte said.
In order to make the process smooth, people, process and technology all need to be aligned, Adib said. Organizations need to build processes to get people from different stakeholder groups – cyber, IT, finance, legal – together on a disclosure committee to discuss a potential incident. Those people will need to make a professional judgment call about whether the incident is material.
The technology used to determine materiality will be different depending on the organization, but will generally include:
- Security information and event management platforms.
- Security orchestration, automation and response platforms.
- Threat intelligence platforms.
- Threat response platforms.
- Ticketing platforms.
“You have to have these platforms, tools, processes and capabilities in play in order to be able to identify that there’s a cyber incident and then take it up the chain to make a materiality determination,” Adib said. “But as we know, tools are only as good as the people that deploy them.”
In the event of an incident being considered for materiality, Adib said organizations need to be sure they consider:
- Who’s at the table?
- Do we have enough information?
- How does the incident affect our business?
In Deloitte’s plans for determining materiality based on the SEC guidance, they use a taxonomy including various risk domains: financial, operational, reputational, regulatory, extended enterprise (third parties, vendors and customers), strategic, technological and talent (health and safety), Adib said.
Companies strengthen cybersecurity rules in response
The purpose of the rules is to inform investors of the incident’s possible impact to “benefit investors, companies and the markets connecting them,” said SEC Chair Gary Gensler in a press release posted on July 26, 2023.
On Aug. 2, 2022, Deloitte ran a poll of more than 1,300 C-suite and other executives in publicly traded organizations and found that 64.8% planned to strengthen their cybersecurity efforts in response to the SEC’s new rules. And, more than half (54.1%) of the executives surveyed said they would push third parties to improve their cyber programs in response to the SEC’s new rules. The poll was held during a webinar about the SEC’s new requirements.