This past summer, the Securities and Exchange Commission adopted new rules that require companies to disclose material cybersecurity incidents and, “disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance.”
The primary goal of these guidelines is to preserve investor confidence by creating transparency around material security incidents. Historically, there hasn’t been much regulation around reporting breaches; companies could de-escalate or de-risk some of the impacts to their organization in the wake of an attack, but they weren’t explicitly required to report the details of cybersecurity incidents. Some companies would disclose this information to investors on their own onus, but as SEC Chair Gary Gensler explains, “companies and investors alike would benefit if this disclosure were made in a more consistent, comparable and decision-useful way.”
The guidelines received some pushback from both U.S. Congress and the Senate due to the reputational concerns associated with disclosing cybersecurity incidents. Despite this, the rules officially went into effect on December 15th, 2023, and companies will need to adjust accordingly. Reputational damage is a real concern, so in addition to being prepared to share the details of material incidents, organizations must also be ready to control the narrative should they experience a breach.
This legislation comes at an opportune time: Cybercriminals are getting smarter by the day, carrying out more sophisticated attacks at a higher volume than ever before. As technologies like artificial intelligence continue to proliferate, and organizations become increasingly digitized, the risk of breaches resulting in material impact grows.
Below, we’ll explore the requirements, including the potential risks of disclosure, financial materiality principles for cybersecurity, and proactive communications strategies for dealing with material incidents.
Getting familiar with the requirements (and potential risks)
So what exactly must organizations do to stay compliant with these new rules? Here’s an overview of the key requirements:
- Regulation S-K Item 106(b) requires companies to describe their cybersecurity risk management processes and disclose if these risks are a significant factor affecting their business strategy, operations or financial status.
- Regulation S-K Item 106(c) details the mandate for registrants to explain the board’s oversight and management’s role in addressing cybersecurity risks.
- Form 8-K Item 1.05 requires companies to report all material cybersecurity incidents, including details around their nature, scope, timing and impact. This must be done within four business days of the incident, unless a delay is necessitated due to national security concerns.
- Forms 20-F and 6-K for FPIs describe the requirements for foreign private issuers (FPIs) in terms of board oversight and management’s role in cybersecurity risk management, including the need to report material cybersecurity incidents.
It’s important to acknowledge that disclosing this information begets some level of risk. There’s always the possibility that actors could somehow gain access to this information and use it as a mechanism for extortion. For example, they could exploit preemptive filings to gauge what the company considers material, possibly to precipitate a Wells Notice from the SEC.
Applying financial materiality principles to cybersecurity
According to the SEC, “A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis. Rather, registrants, auditors and audit committees need to thoroughly and objectively evaluate the total mix of information.” By applying the principles of the Statement of Accounting Bulletin No. 99 (SAB 99), companies can more effectively assess and disclose material cybersecurity risks, aligning with the expectations of investors and regulators in today’s increasingly digital and risk-prone business environment.
SAB 99 considers both quantitative and qualitative factors impacting materiality. This includes quantitative variables like costs, legal liabilities, regulatory fines, revenue loss and reputational damage, in addition to qualitative factors such as the nature of compromised data, impact on customer trust, and compliance with data protection laws.
Organizations can also perform a contextual analysis of cybersecurity risks both within the company’s overall risk profile and the industry at large. This helps to ensure consistency in disclosure practices, and takes into account the dynamic nature of cybersecurity threats. That being said, ongoing reevaluation is critical since the threat landscape is constantly evolving. Throughout the materiality assessment process, management should always be involved to ensure that their judgment on materiality is informed and comprehensive.
Stay ready with proactive measures and communication strategies
No company is immune to experiencing a breach, no matter how robust its security strategy. Breaches will happen — it’s a fact. When they do, organizations need a strategy in place so they can respond quickly to minimize reputational damage and effectively communicate risk to third parties.
Being prepared ahead of time is key. To start, companies should have a working definition for materiality (don’t wait until a breach happens to establish this) and be aware of the benefits of preemptive filings in controlling the company narrative in the event of a material incident. Have prepared statements ready to go, consider drafting K-filings in advance, and ensure call centers are ready to handle a higher volume of inquiries. Customers will undoubtedly have questions and need support following a breach, and companies must be prepared to provide them with timely information and resources.
Tabletop exercises are a great way to get the entire organization aligned and facilitate communication when it comes to incident response. Meeting quarterly to discuss the items above and rehearse the organization’s plan of action ensures that everyone — from the board level all the way to entry-level employees — understands the process for how to handle a breach. Finally, companies must emphasize to employees the importance of confidentiality surrounding security incidents to prevent misinformation.
The SEC’s new guidelines will give investors much-needed assurances regarding their investments. They’ll also push companies to have a stronger incident response plan in place in order to stay compliant while simultaneously thwarting attackers. Threat actors aren’t slowing down anytime soon, but by assessing materiality, taking proactive measures, and practicing tabletop exercises, organizations can avoid reputational damage and maintain compliance should they experience a breach.
Brian Neuhaus is chief technology officer of Americas at Vectra AI.