In September 2023, the Securities and Exchange Commission (SEC) adopted cybersecurity rules requiring companies to disclose any material cybersecurity incidents they experience, along with information about their cybersecurity risk management strategy and governance. More than a year later, it’s time to assess how companies are adapting.
What Are the SEC Cybersecurity Rules?
The SEC cybersecurity rules cover the timing and method of reporting cyber incidents, whether caused by malicious actors or otherwise. After a cyber incident, companies must disclose:
- Material cyber incidents, within four days of occurrence, on Form 8-K
- Cybersecurity risk management plans, annually, on Form 10-K
The regulations provide visibility into companies’ cybersecurity risk management frameworks, which were previously closely guarded. The new rules also highlight how companies manage their cyber responsibilities, outlining both employee and board involvement in creating cybersecurity strategies and procedures.
How Adoption Is Going So Far
The road to sector-wide adoption of the new SEC rules has been somewhat bumpy. More than a year later, there is still uncertainty about how the new disclosures work. Several companies—including Microsoft and Hewlett Packard—have publicly disclosed cybersecurity incidents. However, those reports do not yet consistently meet all the SEC cybersecurity disclosure requirements.
The new disclosure rules—intended to give investors complete visibility—require companies to report both the occurrence and impact of cyber incidents. Companies must report the occurrence within four days. They must also provide amendments that disclose the material impact as it becomes apparent.
The cyber incidents at Microsoft and Hewlett Packard involved hacking executive, legal and other team emails. Although both companies reported the occurrences within the proper four-day timeframe, neither has disclosed the material impact of the incidents.
This illustrates one of the most significant points of confusion companies have with the new SEC rules: What does “material” mean?
What Makes a Cyber Incident “Material”?
Today, companies generally consider a cybersecurity incident material if it affects their:
- Operations
- Financials
- Legal liability
- Reputation
- Or is otherwise considered significant to shareholders
That last item leaves a lot of room for interpretation. In May 2024, the SEC issued a statement to provide more guidance, including language for the reporting of non- or not-yet-material cyber incidents, using a different item on Form 8-K. The goal is to increase both investor awareness and company readiness.
At the same time, the potential for enforcement and penalties for non-compliance is real: The SEC is now taking steps to ensure companies meet the new disclosure requirements.
How Much Disclosure Is Enough?
Last year, the SEC levied charges against four companies for providing misleading disclosures about their cybersecurity incidents and risk management strategies. The charges signal an end to the adaptive grace period and the need for companies to establish internal operational procedures for reporting cyber incidents.
Those procedures require a certain amount of flexibility. The level of detail in disclosure must be carefully monitored. Too much detail can expose system vulnerabilities, inviting and outlining possible opportunities for more attacks. Not enough detail or too much generic language obscuring the impact of the incident can lead to an investigation by the SEC.
(An experienced financial professional can help your company weigh and balance the risks of too much vs. too little disclosure in your reports, a key reason your CFO should be involved in creating your company’s disclosure strategy.)
Who Implements These Rules?
In many companies, the Chief Information Security Officer (CISO) is responsible for enacting and implementing the policy and procedural changes introduced by the SEC cybersecurity rules.
The CISO institutes the protocols and procedures for:
- Detecting and classifying cybersecurity incidents
- Analyzing and documenting the impact of any incidents
- Making the required SEC filings
The CISO must collaborate with the executive leadership team—particularly the CEO and CFO—on cybersecurity issues, especially prevention, assessment and remediation. Many boards have also increased their involvement in cybersecurity processes, ensuring companies can maintain the highest standards when working with sensitive financial data.
Adopt a Compliance Framework
Create or adapt a procedural framework to introduce and maintain compliance. The cybersecurity framework developed by the National Institute of Standards and Technology (NIST) offers comprehensive resources and support to help companies improve their approach to cybersecurity risk management.
The Finance Team’s Role
While finance professionals are not responsible for implementing cybersecurity measures, forward-thinking financial leaders are deeply invested in effective cybersecurity strategies and practices.
Your CFO will be on the front line to assess the financial and operational impact of any cyberattack. They must be aware of which employees have access to financial information and know the procedures for collecting information so as to make disclosures in a timely and compliant fashion.
Get the Right Cybersecurity Disclosure Advice
After experiencing a cyber incident, the disclosure process can feel like an additional administrative burden for affected companies. However, the right leadership and preparation can lessen that burden.
Paro’s vetted fractional finance experts are ready to help your company manage your cybersecurity compliance and reporting needs. Experienced with compliance protocols and disclosure best practices, Paro’s network of highly qualified finance experts can help your company navigate cybersecurity rules and other reporting requirements.
