The specter of cyber threats has long loomed large over organizations, threatening operations and in some cases their very survival. But with new U.S. Securities and Exchange Commission (SEC) rules finalized in August 2023, effective disclosure adds another dimension of cyber risk for regulated companies to manage.
In this blog, let’s cover:
- An overview of the new rules
- Assessing material breaches
- Assessing third-party breaches
- Disclosing your approach to cybersecurity management
- Cybersecurity governance requirements
- Integrating it into your ERM, VRM and compliance programs
Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:
What’s in the new rules
The new rules apply to public companies subject to SEC reporting requirements. Given the growing volume of cyber incidents, the way organizations manage their cyber risks is becoming more material to investors. The intention of the rules is to make disclosures more consistent and therefore easier for investors to assess.
The rules have these main requirements:
- To disclose cybersecurity incidents within 4 days of being assessed as material
- To disclose the company’s processes for managing material cyber risks
- To describe in disclosures the governance arrangements over cyber risk
Disclosing material breaches
The most urgent of the new requirements is to disclose a cybersecurity breach within four business days once it has been assessed as material. This must be lodged with the SEC (using Form 8-K) and must “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
This requirement garnered a lot of feedback during consultation, including proposals to define specific measures or thresholds for materiality assessment. This was rejected in the final rules – the SEC expects that both quantitative and qualitative elements will be considered.
This may be a challenge for CISOs and executives to grapple with. A cyber incident with a direct financial cost of $1 million might not be considered financially material to a company with $1 billion in revenue. But could it be qualitatively material? Who was affected, and how? Has the reputation of the firm suffered to the extent that it would affect valuation or the opinion of investors?
Another important distinction is when the four-day timer starts. It’s not from when the incident first occurs (it might occur months before you identify it), or even from when you first identify it – it’s from when you first assess it as material. However, that materiality assessment must occur without reasonable delay.
In its commentary supporting the final rules, the SEC expects that companies may have sufficient information to determine materiality, even if they don’t yet have complete information about the incident. “We’ve identified a cyber intrusion via System XYZ” won’t start the timer, but “We expect to be down for two weeks and it will wipe out this quarter’s profits” probably does.
Updates to this initial report are also required when new relevant information comes to light.
What if the breach involves a third party?
Inevitably, breaches occur through third parties and vendors. If they do, who reports them? The short answer is: If it’s your data, you do. From the SEC’s perspective, where the data was stored is mostly irrelevant to an investor and does not affect an assessment of materiality.
This perspective is particularly pertinent to the use of cloud providers or managed service providers. Breaches of your environments that those providers manage might have no material effect on them but still be material to you.
At Protecht, we believe you can outsource the function, but you can’t outsource the risk. You remain responsible for ensuring the availability and security of your data, including through effective management of your third parties.
While information may be less timely or more difficult to obtain, it highlights the importance of effective vendor risk management, including integration with Information Security Management Systems (ISMS).
Disclosing your approach to cybersecurity management
Beyond incidents, companies need to disclose in their annual reports how they manage cybersecurity. Let’s take an extract directly from the rules:
“Describe the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”
The inclusion of ‘if any’ is amusing – if you don’t have any, you probably don’t exist long enough to prepare an annual report. More seriously, if these processes are currently managed ad-hoc or in the bowels of your company and it just seems to get done, you’ve got work to do. You’ll need to add structure and governance.
So what is sufficient detail for a reasonable investor? The rules themselves don’t prescribe what is sufficient, but should address the following:
- How cybersecurity processes are integrated into overall risk management
- Whether you use third parties to support your cybersecurity processes
- How you manage threats associated with the use of third parties
These requirements are lower than the original proposal, and there is commentary accompanying the final rule about this change. Disclosure should allow investors to ascertain the practices, and an understanding of the risk profile, without giving away detailed information that could be ‘weaponized’ against the company.
A lot of room is still left here for interpretation. If you are responsible for putting the information in your annual report, I recommend you read not only the full rules but the associated commentary (from page 53 if you want to read just this section).
Governance requirements
Cyber has increasingly been on the minds of directors, but the SEC disclosure rules expect you to explain what oversight your directors have over cybersecurity threats. That disclosure should include the processes by which boards or relevant committees are informed about these risks.
The disclosure should also address:
- Management’s role in managing material cyber risks
- Which positions and management committees are responsible for the management of these risks, and their expertise
- Processes by which the roles or committees are informed about cybersecurity processes
- Whether those people report cyber information to the board
To reiterate, the intention is for investors to receive sufficient information about the cybersecurity posture and management of the business. If you have a board that signs off on information security policies or investments without review (or perhaps denying investment because they don’t understand the impact), you’ll probably want to change that before you make your first disclosure.
You also need to consider the information that is presented to the board. Consistent and effective information on cyber risks and the effectiveness of controls can be a challenge, particularly ensuring that it avoids technical language and can be explained in business language.
Integration
The rules require disclosure; they don’t set minimum standards. However, the disclosure requirements highlight what is expected, or what information the SEC expects investors to care about. Given that, we suggest that you should focus on:
- Integration of information security management with enterprise risk management
- Integration of information security management with vendor risk management
- Standardized processes across the lifecycle of risk
- Capturing detailed information on the cyber front lines in a standard format that can easily be aggregated up to management and the board
To flesh those out, some of the more specific linkages and integrations that we assist our customers with include:
- Linking your ISMS program to your ERM program, which connects cyber risks to the strategy and objectives of the organization
- Linking IT-specific risk and control frameworks to the broader ERM program, enabling information security teams to capture domain-specific information while aggregating risk reporting to the board
- Managing third-party due diligence, cyber-related or otherwise, in a consistent manner
- Ongoing monitoring and controls assurance of third parties after onboarding
- Common risk and control taxonomies and libraries that can be used across the entire organization in a single platform
You may have some or all of these in place, but we often see these managed in silos or are duplicative. Having a centralized approach can bring all the information to your fingertips when you need to make a disclosure – and potentially have a disclosure that is seen more favorably by investors.
Conclusions and next steps for your organization
The SEC's newly minted rules highlight the escalating importance of cyber risk management, emphasizing rapid disclosure of material breaches, escalating governance expectations, and the criticality of third-party risk management. These regulations underline the necessity to have an integrated and comprehensive approach to cyber risk that aligns with enterprise objectives and investor expectations.
Navigating this landscape can be challenging, but Protecht's webinar Speaking the same language: Bringing IT and cyber risk to your enterprise risk view offers a deep dive into these areas, providing strategies, insights, and best practices for organizations.
Join Protecht’s Cyber Security Lead Mike Franklin and our Research & Content Lead Michael Howell for an informative and insightful webinar that brings ISMS into an overall enterprise risk management approach. From understanding the language of IT and cyber risk to the building blocks of resilience, this webinar will provide actionable insights for executives, risk managers and cybersecurity experts alike.
