Join Us Now

Starting December 18^th, publicly held companies are now required to disclose material cybersecurity incidents to the U.S. Securities and Exchange Commission (SEC).

While the regulatory reporting rule is intended to provide investors with information on potential cyber risks affecting companies, lawmakers and cybersecurity experts and practitioners have criticized the rule for its shortcomings.

For instance, some have complained that the four-day disclosure period isn’t an adequate length of time for public companies and their cyber teams to identify, assess, manage or mitigate potential breaches or incidents. Another key consideration for CISOs and cybersecurity leaders is that cybersecurity incidents often look different as time goes by and as additional analysis is completed.

In addition, many practitioners in the HMG cyber community have criticized the vague nomenclature behind a ‘material’ incident and how/whether that should be reported to regulators as part of their 8-K filings. In its new rule, the SEC describes a ‘material’ incident as a matter “to which there is a substantial likelihood that a reasonable investor would attach importance” in an investment decision.

While the SEC does offer additional guidance as to how company officials may approach a ‘material’ incident, it does not list a specific financial threshold for a material incident. According to the SEC’s rules, determining whether a cyber incident is ‘material’ requires an analysis of the total combination of qualitative and quantitative data surrounding the incident.

“As a Board member, advisor to Boards, and one of the principal researchers on the research paper ‘The Importance of Board Member Actions for Cybersecurity Governance and Risk Management,’ just published in the latest issue of MIS Quarterly Executive Journal, I find two aspects of the new SEC regulations are vital to corporate governance, and therefore the C-Suite, Board, and CISO,” said Michael Coden, Associate Director of Cybersecurity at MIT Sloan. “The first concern is how to measure the materiality of a cyber event so as to be able to report the event in a timely manner to the SEC and investors. This can be determined by the CFO and General Counsel using the same processes that have been used for decades, such as for natural disasters, strikes, and other business disruptions.”

In most cases, the determination of ‘materiality’ is typically left to legal counsel, the CEO and the Board to decide. Cyber incidents may be deemed ‘material’ if they are expected to have a significant impact on a company’s financial position, its operations or in its relationship with its customers.

Moreover, some cybersecurity leaders in the HMG community have expressed concerns regarding how much information to disclose about cyber-attacks to the SEC due to concerns that too much information may open their organizations up to lawsuits or provide sensitive information to hackers.

The SEC rule includes a provision which allows a company to delay filing their disclosure when there is an active law enforcement investigation or if the U.S. Attorney General determines that a disclosure may implicate national security and public safety and notifies the SEC in writing.

Some cyber experts believe the SEC regulation will have a sea-change effect on CEOs, Boards and business leaders. “For years there’s been talk that cybersecurity ‘should’ be part of an organization’s culture, and needs to be built from the top down, rather than from the bottom up,” said Professor Kevin R. Powers, J.D., who is the Founder and Director of the Master of Science in Cybersecurity Policy & Governance program at Boston College.

“The new SEC Cybersecurity rules change that “should” to “shall”. Specifically, by requiring companies to describe their Boards’ oversight of risks from cybersecurity threats and management’s role in assessing and managing a company’s material risks from cybersecurity threats, the SEC clearly has made cybersecurity the responsibility of Boards, C-suites, and senior business leaders. Thus, with the new SEC Cybersecurity rules, ‘the business of cybersecurity is business’ – that is, cybersecurity is now a core business function and organizations need to treat it that way; it’s no longer an issue that can just be delegated to IT departments,” adds Powers.

Another topic that’s particularly worrisome for CISOs and security executives is the implications of the SEC’s recent lawsuit against SolarWinds and its CISO for internal control failures and what the ramifications are for CISOs at publicly-held companies.

The impact for C-suites and Boards is far more complex, noted Coden. “It began when the new SEC regulations required companies to report on their business continuity plans,” said Coden. “At first this SEC requirement made Boards and C-Suites realize that ‘it is not a matter of if, but when’ and companies needed to put more focus on cyber-resiliency, in addition to the focus on trying to prevent a successful cyberattack.”

However, in the wake of the SEC indictment of SolarWinds, suggesting that SolarWinds had not properly informed investors of the risks of a cyberattack, and the measures they were taking to prevent and respond to a successful cyberattack, “the question of what and how to report to investors the precautions a company is taking have become more complex and hazardous,” added Coden. “My advice is to emulate the financial industries’ approach to reporting risk by using Cyber Risk Quantification (CRQ). Using CRQ, a company can estimate the financial quantification of risk for different types of cyber-attacks and show that they are focusing their cyber investments in protection and recovery on those types of cyberattacks that represent the most material risks.

Moreover, this has been shown to be the most efficient way for companies to prioritize their cyber investments. (Please see my article in Forbes: “Yes, Virginia, You Can Calculate ROI for Cybersecurity Budgets.”) Additionally, this quantifiable approach may well be the best way to defend the company, if it ever ends up being indicted by the SEC or becomes the victim of a class action lawsuit. One popular approach to CRQ that has been used by almost 14,000 companies is the one developed by the Fair Institute (https://www.fairinstitute.org),” added Coden.

Just before the SEC’s cyber disclosure rules went into effect, at least one company – VF Corp., the parent company for Vans, The North Face and several other apparel brands – became one of the first companies to disclose a cyber-attack in an 8-K report, according to InformationWeek.

Going forward, CISOs, business leaders and board members will need to be in lockstep as to how they address the SEC’s new cyber disclosure rules. “Over the next 90 days, companies are required to evaluate how they will address these new requirements. It is critical for CISOs, executive teams, and Board of Directors to understand their company’s critical assets and cyber risk exposure as well as the necessary contingencies in place should they experience a compromise,” said Rocco Grillo, Managing Director – Global Cyber Risk Services & Incident Response Investigation at Alvarez & Marsal.

“The additional SEC Rules have added significance for the C-Suite and Boards given cybersecurity is an ongoing area of focus,” added Grillo. “Continuous cyber risk assessments and quantification of a material cyber event from a financial and overall business perspective, across sectors and industries, remain key areas of importance for the SEC.”

Grillo says that some companies have already begun to enhance and update their incident response (IR) planning efforts along with conducting simulated cyber-attack tabletop exercises related to risk exposures that may result in a material cybersecurity disclosure by their companies.

The new SEC cyber rules will lead CISOs and cybersecurity leaders to collaborate more closely with company boards and members of the senior leadership team. That should benefit CISOs and cybersecurity leaders in the long run, said Grillo.

“These activities will in effect help company CISOs refine their board reporting initiatives and plans,” said Grillo. “Concurrently, these efforts will foster stronger CISO, executive team and board member relationships to help establish stronger alignment and partnering in combating their company’s cyber risks and threats,” said Grillo.

At HMG Strategy, we’re tracking what matters most to CISOs, CIOs and business technology leaders. Please share your insights on the SEC’s cyber disclosure rules in the comments section below. Become part of the conversation by attending one of HMG’s upcoming summits.

Meanwhile, learn more about HMG’s Global CIO & CISO Executive Leadership Alliance (CELA) service, a forum for top CIOs and CISOs who share common challenges and opportunities they’re facing in their roles along with fellow members of the C-suite. Click here to learn more.

.