The SEC’s cybersecurity and disclosure rules: The questions compliance pros still have

A brief documentation overview

The SEC’s cybersecurity disclosure rules come with strict documentation requirements, especially as it relates to 8-K and 10-K filings. In both cases, compliance teams should provide as much information as possible whenever submitting these forms.

When it comes to 10-K filings, companies must include information about their cybersecurity strategies, risks, and governance practices, as well as summarize any material incidents. These filings should also include information on who in the enterprise has oversight over cybersecurity. More sophisticated cybersecurity organizations will have a chief information security officer (CISO) ultimately accountable for cybersecurity activity and strategy. The CISO and compliance team should work closely on all regulatory filings and remain in constant communication as cybersecurity practice evolves.

However, organizations that don’t have a CISO can still meet the 10-K’s cybersecurity management rule by ensuring sufficient cybersecurity expertise exists on the board of directors and within the organization. To do this, companies could consider hiring a virtual CISO or external team of cybersecurity professionals via a managed service provider. This is an effective strategy for quickly tapping into cybersecurity know-how when there is limited experience in-house or for organizations that don’t have the resources to obtain dedicated cybersecurity talent in-house. These external groups also often have compliance expertise and can share the regulatory burden with internal compliance leaders. Whether an outside provider or dedicated resource internally, compliance leaders should have an open line of communication with these individuals and work closely with information security teams to ensure proper documentation of any incident that occurs.

Public companies are also now responsible for filing 8-K reports for any “material” cybersecurity incidents. These 8-K filings must provide enough context for stakeholders to understand the issue, scope, timing, and impact so that they can make informed investment decisions. When it comes to the 8-K, specifically, being able to discern a material incident from a nonmaterial incident is paramount. It’s important for compliance leaders to have a strong grasp of this idea and educate the enterprise on how to respond appropriately.

What is materiality in 8-K filings?

The definition of a material corporate event differs from company to company and depends on a range of factors. Ultimately, the SEC considers an event to be material if a rational individual would want to know about that incident when deciding whether to invest in the company. It’s up to compliance and cybersecurity executives to draw this line. Additionally, the nature of the SEC’s definition means that companies should consider both the financial and nonfinancial impacts of any cybersecurity incidents.

One framework compliance professionals can use to assess materiality is to analyze how a cybersecurity event affects five areas: finances, operations, reputation, compliance, and customer/stakeholder experience.

Here are guiding questions for each category:

• Finances: How did the incident affect sales, revenues, and costs? How will it affect these metrics going forward? Did the organization have to make ransomware payments?

• Operations: Did the company experience any downtime? Were critical systems compromised? Was any data lost or stolen?

• Reputation: Did the incident affect any partner relationships? How do consumers perceive the event? What about investors? How did the media portray the event?

• Compliance: Was the organization operating in or out of compliance when the incident occurred? Did the incident affect current compliance practices?

• Customer/stakeholder experience: Was any sensitive customer or stakeholder data compromised? Were any customer businesses affected? What about supply chains?

Those in compliance should establish clear processes for analyzing a cybersecurity incident along the dimensions above to determine its materiality. Having a standard methodology is essential for filing an accurate 8-K within the required four-day window. This window begins the first business day after an incident has been identified, not after it occurs. It’s possible for an organization to relabel an incident as material after initially determining otherwise. In this case, the four-day window begins after the organization determines materiality.

The SEC recognizes it may not be possible to fully identify an incident’s cause, remediation, and impact within four days, which is why follow-up reports are crucial. Compliance teams should provide as much information as possible in initial filings and submit updated documentation as details surface. Furthermore, the initial 8-K filing and subsequent updates should be board-certified, which means boards of directors should be aware of any incidents and be able to confirm the accuracy of any details provided in an SEC filing. To file reports, companies use the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.

Creating a robust compliance culture

While the SEC’s disclosure rules may seem like a burden, they are a powerful forcing function for identifying and rectifying cybersecurity shortcomings. Compliance teams should view 8-K and 10-K filings as an opportunity to improve the organization’s cybersecurity capabilities and ensure it follows best practices. The SEC also offers readiness assessments to help compliance professionals evaluate the organization’s ability to respond and report on incidents. These assessments are invaluable for uncovering potential risks and mitigating them proactively before a cyberattack occurs.

Creating a compliance-focused culture also requires ongoing education and training for cybersecurity employees. The more people who understand the company’s regulatory obligations, the better. This education makes implement new processes, tools, and systems that help quantify and report on cybersecurity incidents easier.

Yet, building robust cybersecurity capabilities and fulfilling the SEC’s disclosure rules are significant undertakings for any public company. Compliance leaders are accountable for a domain that is becoming increasingly complex while dealing with cyber risks that are constantly evolving. As a result, more organizations are turning to managed security service providers (MSSPs) that take on much of the burden associated with building, maintaining, and safeguarding cybersecurity ecosystems. Some MSSPs will even take on the SEC reporting burden, enabling in-house compliance and security teams to focus more on remediating gaps and addressing vulnerabilities. Compliance leaders who are struggling can find reprieve in an MSSP and partner with experienced professionals who know how to guide large public organizations through the modern regulatory landscape.

The costs of material incidents

Many types of cybersecurity events can rise to the level of a material incident. Some examples include data breaches, tampering, malware, and unauthorized use or access. When all the impact categories above are considered, a cybersecurity event can cost companies millions or even billions of dollars. A single cybersecurity incident could result in lost business, decreased productivity, legal fees, increased insurance premiums, remediation costs, and regulatory fines. The consequences of an event can also ripple out and affect the broader industry or related industries. What’s more, cybersecurity incidents often disproportionately affect smaller organizations with less mature cybersecurity functions. While the overall impact of an issue may be less, the damage to the organization itself can be irreversible.

To mitigate risk, compliance professionals should always seek guidance from legal experts when dealing with an incident and push the organization to improve continuously. Compliance teams should keep thorough records of what happened, how the company responded, and what communications went out to various stakeholder groups—regulators, customers, business partners, etc. Thorough documentation makes regulatory compliance and future incident response much easier by increasing the collective cybersecurity knowledge within the business.

Takeaways

• The U.S. Securities and Exchange Commission (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules officially took effect in December 2023.

• The definition of a material corporate event differs from company to company and depends on a range of factors.

• In 8-K and 10-K filings, compliance teams should provide as much information as possible whenever submitting these forms.

• SEC readiness assessments are invaluable for uncovering potential risks and mitigating them proactively before a cyberattack occurs.

• Compliance teams should keep thorough records of what happened, how the company responded, and what communications went out to various stakeholder groups.

*Bill McLaughlin is the President of Thrive in New York City, New York, USA.

1 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51,896 (Aug. 4, 2023), https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure.