The United States Securities and Exchange Commission (SEC) has proposed an updated rule titled "Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure" for publicly traded companies. In this article, I'll guide you through the key points, reporting requirements, and preparation strategies for IT departments.
Cybersecurity has become an increasingly important aspect of modern organizations. As the usage of technology increases, the concern about cybersecurity breaches also becomes heightened. Trends including cryptocurrency, hybrid work, and complex ransomware raise the most significant business risk globally. Regulatory penalties have resulted in over $100 million in fines historically. Data leaks, embarrassment, fines, and investment loss are reasons companies are often reluctant to share their cybersecurity information.
Incidents are often underreported or late without a consistent standard. While not every minor incident must be reported, consumers and investors are not sufficiently informed about risks. Most companies briefly mention cybersecurity in the "Risk" section of their annual reports or don't mention it. These practices are irresponsible regarding the seriousness of cybersecurity safety both from a data perspective and an investor viewpoint. Materiality helps measure whether the information might impact an investor's decisions.
Business type and size set the parameters that affect materiality. For example, if a small business opens a new store, this is likely considered material. However, a large retail chain opening a new store would not be considered as such. These designations can significantly impact whether a company receives funding from potential investors making this essential information.
Why is the SEC involved?
The SEC promotes full public disclosure, protects investors against fraudulent securities market practices, and monitors corporate takeover actions. They also adapt disclosure requirements as conditions and technologies change and become "material." Perhaps the best-known recent change is around sustainability (Environmental, Social, and Governance, also known as ESG). Potential business impact, specifically on investors, cannot be understated; this has triggered these rule changes.
Annual reports (10-K) and quarterly reports (10-Q) are disclosure requirements imposed by the SEC. A "Form 8-K" must be filed within four days if an unexpected material change occurs, such as a company being acquired by another organization. Although preparing reports is burdensome and a common reason for businesses not going public, reporting is legally required, including cybersecurity.
Updated Reporting Requirements
I'll break down the key points because the document outlining the new rule is lengthy. The new requirements are adjustments to the annual report (10-K), quarterly report (10-Q), and 8-K. Form 8-K impacts IT the most. There are other form changes, but those are of limited IT interest.
Form 8-K: Disclose material cybersecurity incidents within four days in "Inline XBRL" format.
There are five parts to reporting each incident:
- Timing: When did the incident start? Is it ongoing?
- Description: What was the nature and scope of the incident?
- Data Breach: Was any data stolen, altered, accessed, or used for any unauthorized purpose?
- Effect: What is the impact on the company's operations?
- Remediation: Has the incident been remediated, or is it currently in the remediation process?
10-K and 10-Q: Previously undisclosed incidents must be disclosed, especially if material in aggregate. Updated information regarding previously disclosed incidents is also required.
10-K specific changes:
- Policies and Procedures: Policies and procedures for identifying and managing cybersecurity risks.
- Governance: The cybersecurity governance policy, including the board's oversight role.
- Management's Role: Management's role and expertise in assessing and managing cybersecurity risks and implementing policies, procedures, and strategies.
How should IT professionals prepare?
Document Risk Management and Staff Experience: Adopt written policies and procedures addressing administrative, technical, and physical safeguards to protect customer records and information.
Access Cybersecurity Incident Details: Many organizations treat cybersecurity incidents as carefully guarded secrets. The SEC's new rules require incidents to be fully disclosed.
Have an Incident Response Policy: An incident response policy is critical in quickly handling issues. The companies that are the most penalized are those that do not have an effective incident response policy. Many companies have written cybersecurity policies and carefully managed controls but no written incident response policy. The following points should be covered in your policy:
- Who responds to incidents?
- How is the severity of an incident clarified?
- How is the incident contained and controlled?
- How and when are internal, customer, regulator, and law enforcement officials informed?
Collaborate with your financial accounting team: Just like IT professionals, accountants have various specialties – financial accountants handle external activities. You will need to provide the financial accountants with cybersecurity information for the periodic reports for them to be appropriately addressed. More importantly, you need their guidance on what types of security incidents they want detailed information on. Typically, they will want information on incidents that are not material. Keeping records on all incidents is necessary in case they become material "in aggregate". You will not create the report, but your financial accountant will need your input.
Review Existing Policies and Records: For the governance and experience portions of the periodic reports, you may be able to leverage existing security compliance reports, including SOC or ISO 27001. These reports typically have enough information on the cybersecurity policy and controls to enable copy and paste into the periodic reports.
Understand XBRL: XBRL is an XML "schema" for financial reporting that has been used for over 20 years. While it's helpful to understand the specification and what XBRL documents look like, you will unlikely create them yourself. Several commercial and open-source tools will do this, even converting Excel to XBRL. The XBRL specification can be viewed here: http://www.xbrl.org/Specification/XBRL-2.1/REC-2003-12-31/XBRL-2.1-REC-2003-12-31+corrected-errata-2013-02-20.html.
The scrutiny cybersecurity policies have faced has increased dramatically in recent years and will continue to do so. By keeping up-to-date policies and records, rule shifts such as the one outlined in this article will require much less of a shift as more changes and expectations seem inevitable. Understanding the key points, collaboration with accounting teams, and awareness of cybersecurity trends will set IT professionals up for easier transitions.