The US Securities and Exchange Commission (SEC) has mandated that publicly listed firms operating in the US must disclose “material” cyber incidents within four days.
Within the disclosure, companies will need to provide details of the incident’s nature, scope, timing and impact or “reasonably likely material impact.”
In addition to the four-day incident notification requirement, the SEC is forcing firms to describe their processes for assessing, identifying and managing cyber risk, as well as the impact of any cyber-threats and previous incidents on an annual basis.
The regulator will also require organizations to detail the board’s oversight of cyber risks and their expertise in assessing and managing these material risks.
The rules are designed to increase transparency and accountability for businesses that suffer a cyber breach towards investors, shareholders and customers, placing extra responsibilities on boardrooms in this respect.
The provisions apply to publicly listed companies based in the US as well as international PLCs that do business in the country.
The rules came into effect from September 5, 2023, with the first deadlines for providing the reports on December 15 and 18, 2023. It is vital that affected organizations quickly understand and take steps to ensure compliance in the coming months.
What is Material Impact?
The SEC itself defines ‘materiality’ to mean whether a reasonable shareholder would consider it important in making an investment decision, in particular if it “significantly altered the ‘total mix’ of information made available.”
This definition of “material impact,” is one that is likely to be tested and more fully fleshed out in time, according to Jordan L. Fischer, Partner at Constangy, Brooks, Smith & Prophete, LLP.
Scott Kannry, CEO and co-founder, Axio, argued that in essence it is about financial impact: “Will the cyber event in question adversely impact the registrant, and its investors from an economic standpoint? Or said a different way, will the total costs related to the cyber event cause the value of the business to be reduced?”
The threshold of material could differ across organizations, added Kannry, who said there are various methods by which this might be calculated. One of which is as a percentage of net income, frequently referenced at 10% in accounting principles. Another is to consider the impact on earnings per share.
Calculations on the “reasonably likely material impact” of an incident must be provided on a new Item 1.05 of Form 8-K alongside its nature, scope and timing for US firms and Form 6-K for relevant foreign companies. This will be due from December 18, 2023, with smaller reporting companies given an additional 180 days before providing the Form 8-K disclosure.
Paul Truitt, principal, National Cybersecurity Practice Leader at Mazars, said that any organization that has recommended incident response plans in place should already be in a position to evaluate the nature, scope and timing of the cyber event as a standard process.
He added that organizations can calculate the full material impact by working collaboratively internally or with a qualified third party to utilize a blend of industry data on a per record loss and estimations of potential litigation and brand damage. “These are always going to be estimations but what is required is to estimate using current industry data,” noted Truitt.
How to Establish Processes for Managing Cyber Risk
Publicly listed companies must set out their processes for assessing, identifying and managing cyber risk on a yearly basis in the newly introduced Regulation S-K Item 106, on Form 10K, which is due in annual reports for fiscal years ending on or after December 15, 2023. This applies to form 20-F for foreign private issuers.
Experts who spoke to Infosecurity advised organizations to use one or more recognized cybersecurity governance frameworks as the basis for managing cyber risk. These include standards like ISO 27001/27002 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
"Key C-suite constituents including CEOs, CFOs and General Counsels will have to be the primary drivers of compliance"
Truitt commented: “Developing a security program utilizing an industry best practice framework allows an organization to ensure they are making the right investments and developing a program to reduce risk in all areas of potential exposure.”
Kannry also urged organizations to stick to those frameworks and use a system of record to keep all information in an organized format. The chosen methodologies or frameworks must then evolve over time as the organization grows and risk profile increases.
“For example, a lightweight utilization of NIST or CIS might not be sufficient if the organization triples in size, expands internationally, and adds new product lines to its commercial mix, all of which would expand its exposure profile and necessitate a greater degree of detail considered,” he outlined.
Regarding the obligations around the impact of any cyber-threats and previous incidents, Kannry suggested thinking about governance in terms of a “notional hindsight analysis,” by consistently applying the same frameworks and recording the information in a single place.
“If a major cyber event is disclosed and information suggests that the initial breach was discovered two years prior, tough questions will be immediately raised as to how the organization was fulfilling its governance at that time. If the organization can defensibly and logically paint that hindsight picture based on the principles that I’ve suggested, that should be an easy test,” he outlined.
Why the Board Needs to be Involved
A major aspect of the new SEC rules is for publicly listed companies to describe the board of directors’ oversight of risks from cybersecurity threats and their role and expertise in assessing and managing material risks. This also comes under Item 106.
Kannry noted: “Based on what these rules speak to, and considering established corporate governance and fiduciary responsibility constructs, key C-suite constituents including CEOs, CFOs and General Counsels will have to be the primary drivers of compliance.”
These board members must collaborate with CISOs and external cybersecurity experts to be in a position to fulfil the disclosure duties. Kannry said this includes understanding the adverse impacts on business operations, technical insights about systems impacted and likely duration and potential legal ramifications and costs.
To achieve this, Truitt advised: “Reviewing outside assessments and penetration testing reports and asking about how security controls are being implemented (based on what framework), and how processes are being assessed for adherence to policies, is something that should be part of regular updates with executive teams and boards.”
Maturing Security Programs
Overall, it is hoped the new rules will prioritize investment into maturing organizations’ security programs, ensuring company-wide focus based on risk.
Fischer said: “These rules generally require that companies take a hard look at their incident response preparedness, the training of their cyber teams, their cyber risk management, and ask are they doing enough to demonstrate an appropriate approach that takes into the risks associated with their business.”
She added that impacted organizations should continue to keep a close eye on how the SEC continues to evolve its rules and definitions over the coming months and years and adapt accordingly.