The SEC’s Cyber Disclosure Rules: Lessons Learned So Far In Year One

Subscribe to our newsletter

What qualifies as a material cybersecurity incident? Can we estimate our potential losses and the effects of business disruption? What were our recovery costs? What longer-term remediation costs do we need to include in our 8-K incident report? How did our actions following the breach reflect the response readiness capability previously detailed in our most recent Form 10-K disclosure?

getty

These and other questions illustrate why complying with the U.S. Securities and Exchange Commission’s (SEC/Commission) amended Cybersecurity Disclosure Rule—which was formally adopted one year ago and effective for this past year’s annual reports and for cyber incidents occurring after December 18, 2023—requires deep and nuanced knowledge of cybersecurity, incident response, data governance, financial reporting, investor relations, regulatory compliance and risk management. This combination of expertise makes it imperative for CFOs and chief information security officers (CISOs) to collaborate closely, in part through two-way education. CFOs should school CISOs on materiality evaluations and reporting to the board, while CISOs can help finance chiefs better understand recovery costs, remediation efforts, single versus aggregate breaches, and the nature of compromised data.

Partnering closely with their CISO is one of several actions CFOs should consider to strengthen their cybersecurity disclosures, preparedness and incident evaluation process.

What We’ve Learned So Far

Adopted last July and effective in mid-December, the SEC’s updated cybersecurity disclosure rule requires Form 10-K filings to describe 1) processes for identifying, assessing and managing material cybersecurity risks and threats, and 2) the board of directors’ oversight role in assessing and managing cybersecurity risks. The rule also requires SEC registrants to issue an 8-K cybersecurity incident report when a breach (either a single attack or a series of incidents) is deemed to have a material impact to the business. An incident report must be filed within four business days of the company’s materiality determination.

The nature of these requirements commands the CFO’s direct involvement and oversight, as well as the CISO’s expertise and engagement. Both executives should be clear about the threshold at which a cyberattack rises to the level of a material incident—and making this determination may require more frequent dialogue and collaboration. This means they need to agree on the materiality determination process. What do the rules require, how do we apply them, what information do we need, who should be involved, who decides, and how do we ensure the determination is reached within a reasonable time period are questions best answered in the cool of the day rather than in the heat of the moment.

It also means that these two executives must understand their personal accountability for contributing to accurate disclosures. This may be something new for the CISO and an area in which the CFO can provide guidance. In the aftermath of the SEC’s SolarWinds allegations, CISOs and other executives must presume that the Commission is holding them as accountable for the accuracy of public filings as it does CFOs and CEOs.

So, what precisely is the SEC looking for in these filings? We’ve taken a close look at recent cybersecurity disclosures. Our analysis of these disclosures, and the SEC responses thereto, indicates that:

Companies are generally taking a conservative approach.

In reporting cybersecurity incidents, we’re noting an apparent willingness of some registrants to disclose incidents even when materiality has not yet been fully established—apparently erring on the side of caution rather than risk not disclosing when, later in hindsight, they should have. With respect to these voluntary disclosures, the SEC staff recently encouraged registrants to disclose such incidents under a different item of Form 8-K, such as Item 8.01 (Other Events), to avoid diluting the value of Item 1.05 disclosures (Material Cybersecurity Incidents) and potentially creating investor confusion. Of course, a second Form 8-K would be required if the registrant subsequently determined that the incident is material, in which case the disclosure would fall under Item 1.05. In such instances, the registrant may refer to the earlier Form 10-K filed under Item 8.01.

The level of detail in 8-K incident reports varies.

Some companies provide extensive information about the nature of attacks and their containment strategies. Others opt for a high-level approach, reporting information that could apply to almost any cybersecurity incident. Some companies generally described taking prompt actions—such as isolating affected systems and conducting forensic investigations—once an incident was detected. Most companies reported that they had notified relevant law enforcement agencies and were working closely with them as required. Many disclosures referenced specific communication protocols for internal reporting and external communication with stakeholders.

The Commission doesn’t appreciate ambiguity.

The SEC took one filer to task for vague language regarding materiality in an 8-K incident report that ran afoul of its disclosure requirements. We’ve also seen filers distinguish between financial materiality and operational materiality in their 8-Ks, despite the fact that the rule focuses on a single concept of materiality of which the SEC’s definition remains consistent. Reports often cited activation of business continuity plans to minimize service disruptions; however, details regarding the effectiveness of these plans or the time frames for full recovery were frequently omitted.

10-K disclosures emphasize cybersecurity-related board reporting.

Most SEC registrants agree that identifying a functional leader for cybersecurity matters and providing periodic cybersecurity-related reporting to the board are critical practices. Of note, although most companies cite their readiness to respond to cyber incidents, about one-quarter of the 10-K filings we reviewed do not explicitly describe preparedness strategies. While nearly all companies referenced efforts to mitigate cybersecurity risks through established processes, procedures and systems, a smaller yet significant majority disclosed alignment with external frameworks—which suggests there is room for improvement in adopting recognized best practices. Interestingly, a significant portion of organizations reported the use of external independent cybersecurity advisers, indicating that such third-party expertise is beneficial or necessary.

How to Sharpen Disclosures

CFOs can produce better cybersecurity disclosures and help ensure their filings satisfy SEC requirements by taking the following actions:

Cultivate mutually instructive CFO-CISO collaborations.

These two executives should be joined at the hip to navigate the cyber disclosure rules minefield successfully. When completing an 8-K incident report, many CFOs will need CISOs to help them understand the nature of the attack, the type of data (personally identifiable information, valuable intellectual property, etc.) that was compromised, and the scope and difficulty of the recovery effort. CISOs will also need finance leaders to educate them about incident identification, response protocols and other aspects of cyber risk mitigation that SEC registrants must detail in their 10-K filings. In addition to coaching CISOs on materiality determinations and how cybersecurity incidents affect investor relations, CFOs should consider arranging for CISOs to participate in meetings of the board committee that oversees cybersecurity disclosures (typically a disclosure, audit or technology committee).

Create a materiality framework for cybersecurity incidents.

To date, many organizations have relied on existing approaches and concepts for determining materiality—often with subtle, cyber-related adjustments—to assess whether a cyber incident merits disclosure. While this approach has passed muster so far, more substantial adjustments likely are needed. An effective cyber incident materiality framework should address a combination of financial, operational and technical considerations. It should also contain accurate estimates of recovery and remediation costs (both immediate and long-term) as well as context: A $20 million ransomware event has different impacts on a $100 million company versus a $10 billion enterprise. Whether an attack is a single incident or a series of connected, or aggregated, breaches over time also warrants consideration.

Benchmark public filings.

The SEC did not provide a template for the new cybersecurity disclosure requirements, and we’ve seen some cyber disclosure approaches already fall out of favor (e.g., differentiating between financial materiality and operational materiality). As companies continue to comply, their 10-K and 8-K disclosures will naturally evolve to better reflect the intent of the rule. As such, finance and information security leaders should track how other companies craft their disclosures. In addition to reading annual reports, CFOs and CISOs can monitor 8-K reports on incident trackers. Bottom line, this is a learning process, and it behooves the CFO and CISO to understand what’s working and what’s not.

Bolster cybersecurity risk management.

As the regulatory spotlight on cybersecurity capabilities intensifies, CFOs should consider ways they can lead and contribute to efforts to improve cybersecurity risk management and governance practices and incident identification, response and reporting processes. This effort also should focus on more specific determinations of incident materiality, among other aspects of the SEC’s cybersecurity disclosure rule.

Final thoughts

Some boards are adding directors with cybersecurity expertise (like the “financial reporting expert” on the audit committee), but the post-SEC cyber disclosure-rule trend has yet to be determined. A Heidrick & Struggles report noted that only 14% of new board appointments in 2022 had cybersecurity experience, a decline from 17% the previous year. With no data provided for 2023, the appointments during 2024 will be of interest when published next year.

As with past requirements from the Commission for new disclosures, we expect the SEC staff to become less tolerant of vague language, generic boilerplate discussions and other disclosure practices that run counter to the letter and spirit of its rules. This makes it imperative for the CFO to build a strong partnership with the CISO and establish clear guidelines and processes for defining, identifying, responding to and reporting material cyber incidents in 8-K and 10-K filings.

Read More