The SEC’s cybersecurity disclosure rules recently turned one year old, but many organizations still have questions about compliance. Bill McLaughlin, president of Thrive, a managed services provider, explores some of the lingering issues.
It has been about a year since the SEC enacted its cybersecurity disclosure mandate, which requires the disclosure of any material cybersecurity breach on form 8-K, item 1.05, as well as cybersecurity-specific additions to companies’ annual 10-K filing.
Companies may still be grappling with questions surrounding the new rules and processes needed to meet the SEC’s requirements.
4-day deadline
A form 8-K must be filed within four business days after a cybersecurity event occurs, starting the first business day after the event has been identified (also called Day One). Companies should take note of the language here: it is four days after the event has been identified, not after the incident has happened. That nuance and the narrow window of time can bring a company into compliance or render it out of compliance.
However, and as many companies note, four days may not be long enough to determine if a cybersecurity incident occurred, much less if it is deemed “material” or not. The mandatory 8-K and ongoing reporting document any breach’s cause, resolution(s) and corporate impacts. The SEC recognizes that companies may not be able to determine materiality that quickly and notes that if there’s not an unreasonable delay in reporting, there may be some leeway.
What constitutes materiality?
According to SEC guidance, “material” is defined as any event that a reasonable person would consider important when making an investment decision. One might think that financial information access is the only noteworthy event. However, any cyber event that could impact a company’s ability to function properly is considered a material event and beyond financial impact could include:
- Operational impact, or disruptions or downtime to business operations, including the inability to access critical systems, data loss and interruption of services.
- Reputational impact, or how an incident could impact brand image among consumers or key buyers.
- Legal and regulatory implications, or if your company was out of compliance with industry or geographical requirements.
- Customer and stakeholder impact, or if data belonging to consumers, partners, etc. was compromised as a result of the incident.
Cyber transgressions have significantly higher bottom-line consequences than even just five years ago. Harm travels at alarming speeds, resulting in significant costs. Due to reporting requirements, breaches are now public knowledge with lasting impact. Reports must include the incident, response and impact/effect information. Each must be updated during triage and throughout resolution.
What gets reported on 8-K and 10-K forms?
It’s important to note the difference between 8-K and 10-K forms and the level of detail required:
- When reporting a cybersecurity incident on item 1.05 of Form 8-K, details of what happened must be documented, including the scope, timing,and material impact on the company.
- The 10-K report includes a full description of the company’s financial activity during a fiscal year, including risks, liabilities, operations, agreements and more.
In a nutshell, public companies must submit a 10-K report every year to the SEC, while they file an 8-K form only after an incident has occurred. Both should err on the side of including more detail to fulfill requirements instead of withholding information.
Reportable events to be board-certified
The SEC mandates that companies report each significant breach to assist investors in identifying potential pitfalls. Material incidents encompass breaches, unauthorized data access or use, data tampering, data exfiltration, malware, events that contribute to financial or data harm, lead to loss of sales or confidence, reputational harm events and more are all reportable.
If an incident occurs and is unreported but is later determined to be “material,” the four-day reporting clock begins then. The initial report provides an outline of the incident. Follow-up information will be filed, including incident response, resolution, impacts, etc. Incidents are reported in EDGAR, the SEC’s electronic data gathering, analysis and retrieval system, regardless of resolution progress.
The initial report and all updates carry the same board certification mandates as other SEC reports. This puts an onus on the board to have cybersecurity understanding or skills since board members are required to:
- Know about the incident
- Know that the information conveyed is true and accurate enough for their certification
- Report the accurate level of detail for each requirement as reporting signatories
Board expertise
While it’s not a requirement to have a chief security information officer (CISO) in a 10-K filing, companies are moving in the direction of cyber-knowledgeable board members to meet the “management’s role” rule. However, it’s no easy task to tackle security liability. The amount of security staff, education, training and internal resources to achieve the oversight of a CISO at the board level is overwhelming for many companies.
To get this level of expertise, while also managing budgets and supplementing internal resources, many organizations have been tapping into virtual CISOs (vCISOs). While not a requirement, having a CISO or vCISO at the helm can ensure that cybersecurity initiatives are taken seriously and actually implemented, that compliance is top of mind for the SEC rule and other industry- or geography-specific requirements, and that the company improves cyber posture overtime to improve business resilience.
Source link