SVP, Cyber Risk Evangelist at Black Kite.
The digital age has ushered in unprecedented opportunities for innovation—and with them come looming cyber threats that can disrupt operations, expose confidential information, tarnish reputations, erode trust and cost millions. This becomes even more complicated when taking into account the number of vendors and partners a company relies on to conduct business, as one company now becomes liable for dozens—or even hundreds—of others.
The “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” from the Securities and Exchange Commission (SEC) is now in effect, and organizations need to start thinking about how they will comply with its provisions. The rule recognizes that cybersecurity incidents have the potential to significantly impact the operations, finances and reputations of public companies, and the SEC’s action promotes transparency, accountability and responsible management of cybersecurity risks for public companies.
It’s not uncommon for new laws and regulations to leave parts open for interpretation, and the new SEC rule is no exception. The main area of confusion is around the concept of materiality. While this isn’t new and has been the norm for publicly traded companies since 1933, technical and cybersecurity leaders and practitioners have historically not been involved in the discussions. Therefore, the concept is somewhat abstract to them.
To get a better handle on the rule, organizations need to consider what materiality actually means and whom it will impact overall. Additionally, there are preparations they can take to ensure compliance despite the lack of a traditional playbook. Here are ways organizations can navigate the SEC security disclosure rule and prepare their teams for ongoing compliance this year.
What is “materiality,” and who decides what is material?
The SEC’s decision to initiate a four-day disclosure clock upon deeming a cybersecurity incident as material—not upon its discovery—demands attention. Materiality, a term the SEC defines with an investor focus, hinges on its potential to sway investment decisions or influence critical shareholder votes. In simpler terms, if it’s something that would concern the CEO and top executives, it might very well be material.
The good news is that the decision of whether something is deemed material doesn’t lie solely with technology or cybersecurity leaders. The bad news is that executives tasked with the determination often don’t understand what the impact of cybersecurity incidents might be on financial and business operations. Ultimately, corporate officers and the board of directors make decisions around materiality, with appropriate input from cybersecurity and technology leaders.
One additional consideration is the impact of third-party incidents on your organization’s posture. A data breach or ransomware attack on one of your critical partners may lead to a material impact on your organization. It’s worth noting that the term “third party” appears over 40 times in the final rule, so it’s critical to be aware of these vulnerabilities.
Who will be impacted by the rule?
Obviously, publicly traded companies need to be in compliance. If you aren’t a publicly traded company, that doesn’t mean you’re off the hook. If you’re a supplier or vendor of a public company, questions will be coming your way for covered organizations to maintain compliance. In other words, just because you aren’t public doesn’t mean you get to ignore the new rule. Nor does it mean that you can stand down if you’re not in the United States.
Additionally, it is very common for rules such as this to become the standard. In other words, once public companies follow the rule, it will become a benchmark for all companies. For example, the Sarbanes-Oxley Act is a law that governs public companies’ financial accounting and reporting. Private companies, not-for-profit organizations and even some government agencies also follow it even though they aren’t required to do so.
Rules and regulations aside, all companies have an ethical obligation to disclose material incidents. All companies have vendors and partners they need to monitor along the supply chain, and they all have customers they need to serve securely. Ultimately, communication is the best policy for the highest level of security.
What do organizations need to do to be prepared?
In the absence of a one-size-fits-all playbook, there are several best practices that public companies should take note of on their journeys toward compliance.
1. Create a team. Companies should designate business leaders to build better lines of communication with security teams and find out what security and risk management programs they have in place—and articulate this to the board and C-suite. Ideally, companies should create a working group of cybersecurity leaders and business executives to conduct scenario planning around common cybersecurity incidents and what to do when (not if) they become real.
2. Add cybersecurity expertise to your board. While the rule ultimately removed this requirement (much to the chagrin of many), I still strongly suggest that organizations add cyber expertise to their boards of directors or bring in outside experts to brief their boards on roles and responsibilities and act as advisors on how to improve the program and processes. Right now, this role is often missing on the board, but it can help expedite and manage security challenges.
3. Update your 8-K process. The 8-K form now requires issuers to describe material aspects, including the “nature, scope and timing” of the cybersecurity incident as well as “the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Drafting 8-Ks should already be a part of a public company’s standard operations, so updating the process should be an easy lift for organizations.
Since the SEC’s new security disclosure rule is now fully in effect, public companies need to take steps to ensure they’re compliant. Preparation is key. Creating your own playbook with an action plan for the C-suite and security leaders within your organization will ensure you’re able to act in compliance with the rule and respond quickly when (not if) an attack occurs.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
