The final rules requiring disclosure of cybersecurity breaches may push public companies to do a better job at managing cyber risks, but it will also require them to judge the material effects of a cyberattack carefully.
Adopted despite two commissioners dissenting on July 26, the cybersecurity risk management, strategy, and governance rules are meant to make company-reported information on cyber incidents and cybersecurity risk management consistent and comparable.
The two-pronged rule covers 8-K reporting of material cybersecurity incidents within four business days of them being deemed “material,” and a new 10-K regulation that requires the issuer to report the process for identifying material cyber risks and management’s role and expertise in assessing and managing those arising from cybersecurity threats. (The disclosure must also describe the board of directors’ oversight of cybersecurity risks.)
“The key driver for regulators remains the undeniable fact that cyber events can have demonstrably material effects on major companies throughout the economy,” said Jamie Gerber, CFO of SimSpace, a provider of network emulation and modeling tools, and former CFO of the Pension Benefit Guaranty Corp.
“This ability to do real damage, enhanced now with new [artificial intelligence] capabilities, combined with the fact that [cyber attacks] can be done silently without hitting the evening news,” is what has made the new rules “both timely and, on balance, a good idea,” Gerber told CFO.
But assessing the materiality of a cyberattack — the crux of the incident disclosures — won’t always be straightforward, said Patrick Niemann, EY Americas audit committee forum leader.
According to Niemann, under the U.S. Supreme Court’s definition of materiality (which will be the standard), companies need to thoroughly and objectively evaluate the total mix of the information, including quantitative and qualitative factors.
“Given the complexity of assessing materiality in the context of cybersecurity incidents, four business days may prove very challenging,” he told CFO.
Said Steve Soter, a vice president at Workiva and former director of SEC reporting for Overstock.com, “The new SEC rule … significantly raises the stakes for how companies assess the materiality of nonfinancial information—including cybersecurity threats — which was already being scrutinized under existing SEC rules to disclose material human capital and the impact of climate.”
According to the SEC, "issuers will have to determine materiality “without unreasonable delay,” which will make “the timing and documentation of how companies assess materiality incredibly important,” added Soter.
“Regulation S-K helpfully moves the question about cyber response and mitigation into the risk management and effectiveness domain, where it has long belonged."
Jamie Gerber
CFO, SimSpace
Unifying the Discussion
Gerber said the more helpful provision of the SEC standards will be the second prong requiring information in the yearly 10-K about the steps a company has taken to lessen the impacts of potential future severe cyber events.
“Regulation S-K helpfully moves the question about cyber response and mitigation into the risk management and effectiveness domain, where it has long belonged,” he said. Compliance will raise the discussions around defensive cybersecurity measures undertaken “to the level of the overall efficacy of those actions against the particular types of cyber risks most significant to a corporation,” Gerber said.
While companies with good cyber risk practices may need incremental effort to meet the requirements in detail, said EY’s Niemann, for other organizations, “this may be an opportunity to consider whether their practices are sufficient and what changes they should make, whether they represent refinements or wholesale changes.”
In general, the SEC sidestepped some potential landmines in the final rule. It put in an exception to the four-day disclosure deadline if reporting would pose a substantial risk to national security or public safety, subject to approval by the U.S. attorney general. The final rule also avoids requiring details of cyberattacks, including technical information, that could provide hackers a “roadmap for future attacks,” stated SEC Commissioner Jaime Lizárraga.
Additionally, the draft rule required companies to disclose whether they have a cyber expert on their board of directors, but that provision was removed. While “the composition of one successful board may need to be distinct from that of another,” said Niemann, “to me, the best directors have relevant business experience, exceptional judgment, and the highest level of integrity that enable them to exercise their important governance and oversight duties.”
“Overly Prescriptive”
The two Republican SEC Commissioners, who opposed parts of the rule, suggested it was overly prescriptive and burdensome for companies. Commissioner Hester Pierce said the “non-material risk management and governance disclosures veer into managing companies’ cyber defenses; the new rule looks like a compliance checklist for handling cyber risk, a checklist the SEC is not qualified to write.”
SEC commissioner Mark T. Uyeda pointed out that the rules “create new disclosure obligations for cybersecurity matters that do not exist for any other topic.” He said the adopting release contains “no meaningful discussion or reasoning as to why cybersecurity is more material than other risks,” such as customer acquisition and retention, product development, competitors, regulatory approvals, taxes, and supply chain management.
“Premature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider.”
Mark T. Uyeda
SEC Commissioner
In addition, Uyeda said, the rule breaks new ground by requiring real-time, forward-looking disclosure.
Disclosing material impacts will “necessarily involve forward-looking statements, such as the estimated costs to remediate the incident or the potential loss of customers, and accordingly revenue,” Uyeda said. Since early information can be incomplete and incorrect, “premature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider,” resulting in a financial market panic, he explained.
The proposed deadlines don’t leave companies with much time to prepare. The cybersecurity incident disclosure provision takes effect 90 days after the regulations are published in the Federal Register or December 18, 2023, whichever is later. Cybersecurity risk management disclosures in Form 10-K filings start in the fiscal year ending on or after December 15th, 2023. Smaller reporting companies have until June 2024.