With its landmark cybersecurity breach disclosure rules adopted on July 26, 2023, the SEC has sparked a perfect storm that will impact every public company’s incident response program (IRP). On top of expanding threats, more stringent compliance frameworks and more liabilities for executives, the new regulations now require businesses to disclose all “material” security incidents within four business days.
For most security, legal and investor relations teams, cybersecurity incident disclosure aligned with SEC guidance is not standard operating procedure. It represents a monumental shift similar to that of the Enron scandal and the ensuing “safe harbor” and “forward-looking statement” policies set forth in the Sarbanes-Oxley Act over 20 years ago.
While the 8-K incident reporting requirement includes a time-bound exception for disclosure that “poses a substantial risk to national security or public safety,” few cybersecurity incident investigations can produce a comprehensive incident impact report–let alone determine if a breach will affect the stock price–in just a few days. If a company determines a cybersecurity incident is material but information was unavailable at the time of the required filing, companies must later report via a Form 8-K amendment.
Attending urgent meetings with attorneys, executive leaders, board members, investor relations, spokespeople and the media, all while making rapid disclosure decisions, could interfere with mitigating the incident itself if the incident response process is not properly planned before the incident and managed during and after the incident.
The question then becomes, “What is a material cybersecurity incident?” The SEC states in its final rule that consideration of materiality should be consistent with case law addressing materiality and that an issue is material when there is a “substantial likelihood that a reasonable shareholder would consider it important in making an investment decision” or it would have “significantly altered the total mix of information made available.”
Two factors complicate the consideration of materiality further: Assessing the incident singularly or related incidents in aggregate and, further, materiality consideration is not dependent on who owns the compromised system. As such, companies are not exempt from disclosing cybersecurity incidents on the third-party systems they use.
As part of the normal financial reporting processes, registrants already have significant and available materiality data related to financial conditions and results of operations, which could be a starting point when considering cybersecurity materiality. As such, beyond financial materiality, companies will be left to decide for themselves using the factors identified above.
But the consequences are higher now and there’s a new contingency to worry about–disgruntled shareholders, or worse, class-action contingency attorneys that may have their own ideas about what “material” means.
Anyone with a public equity interest has legal standing and the right to sue for being denied material information–potentially any breach–which could influence a stock buy, hold or sell decision. The crime of insider trading occurs when someone transacts on information withheld from the public. If a company doesn’t report a breach that later causes financial harm, executive decision-makers may be criminally liable. The ubiquitous right to sue may compel companies to settle rather than try to win complex materiality arguments in court.
With these profound changes, there are plenty of knowns and unknowns. But one thing for sure is that incident response will never be the same. Organizations need to get ahead of the curve on the SEC’s new requirements.
Given the SEC’s guidance regarding cybersecurity oversight, the recommended first step for most organizations should be for boards and executive leadership teams, especially those in financial reporting roles, to quickly get an assessment of the current state of the company’s IRP.
CISOs need to lead their ELTs and BoDs with a clear view of the organization’s threats, risks and processes for the entire incident response chain, from anomaly identification through the IRP’s escalation parameters and all the way up to a material cybersecurity incident.
What most leaders will find out is that most companies have multiple cybersecurity events and/or anomalies every year, each being evaluated for escalation. But with the SEC guidance on oversight and material incident reporting, they should expect more communication and clearer reporting on cybersecurity incidents.
Security leaders also should work proactively with the board, ELT, legal and financial reporting departments to develop and document materiality guidelines for cybersecurity incidents and embed clear standards into every organization’s IRP.
The board and ELT, in collaboration with the company’s financial reporting teams and external auditors, should ensure there is an appropriate process in place for required reporting on cyber incidents, including 8-K and 10-K filing guidelines. A well-defined team to manage communications around every cybersecurity incident, including members from legal and regulatory compliance, financial reporting, marketing and internal audit, should be baked into the IRP.
BoDs and ELTs need to know immediately how cybersecurity risks are identified and mitigated; further consideration should be made if oversight of cybersecurity requires the full board or a specialized committee. Reporting procedures should be clearly defined and transparent, and a description of the board’s risk oversight should be included in the 10-K. A Trust Center on the company website can showcase oversight policy, compliance certifications, incident history and outcomes.
Annual IRP assessments and tabletop testing should be performed, incorporating SEC-guided upgrades and right-sizing incident reporting thresholds according to the moving targets of attack surface vulnerabilities and threat vectors. Make sure the board has enough visibility to effectively sign off on annual reviews on the same level of responsibility that accounting firms have in not signing off on fraudulent tax returns. Develop a standard reporting and delivery format for documenting IRP test results and for making necessary adjustments.
Executive teams, especially those accustomed to having D&O insurance coverage, may want to engage SEC attorneys in materiality decisions and consider involving an independent third party with cybersecurity expertise for insights into improving risk assessment and reporting processes.
Ultimately, boards will be responsible for making sure that materiality determination is a collaborative effort that sets the course for IRP performance, oversight, and outcomes that will hold up in court.
Cybersecurity discipline is not new to the C-suite or boardroom. But with the SEC’s cybersecurity wake-up call, it’s now a mandate and a significant event in IT history. The new rules are the reality, and though difficult, their benefits are pragmatic in the movement toward business-aligned security.