Why new SEC cybersecurity rules require an integrated approach

What the rules say regarding governance

With respect to governance, registrants are required to disclose:

• The board’s role in overseeing risks from cybersecurity threats
• The board committee or subcommittee that oversees cybersecurity risks, if applicable, and the processes by which the committee is informed about such risks
• Management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for assessing and managing cybersecurity risk and their relevant expertise 
• The processes by which management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, including whether management reports information about such risks to the board

Insights and observations regarding governance 

We have observed that many companies have expanded their cyber governance disclosures over the last several years. Accordingly, some companies may have well-established governance practices and policies with respect to cybersecurity and require only incremental changes to meet the explicit disclosure requirements under the new SEC rules. However, the preparation and reporting of additional disclosure is subject to a company’s disclosure controls and procedures. As a result, we believe companies may reconsider their existing governance policies and procedures to determine potential gaps against governance leading practices and opportunities to enhance their written controls and policies. These considerations may entail the following:

• Depending on who is responsible for board oversight, board charters may require updating to specify the committee’s responsibilities and role in providing oversight to the organization.
• Companies may reconsider the frequency with which management reports to the board and related committees. For example, reporting quarterly to the audit and risk committee and annually to the board is common in practice. 
• Management may consider including the following in its board materials to help the board provide effective oversight:
  • Overview of the cybersecurity organization 
  • Annual risk assessment process and outcomes, including the risk mitigation strategies for material risks
  • Security trends
  • Cybersecurity control effectiveness
  • Major security initiatives
  • Material incidents, impact and related remediation plans
  • Security awareness training program 
  • Results of phishing tests
  • Cybersecurity metrics dashboard
  • Results of external assessments and benchmarking
• Because companies are required to disclose “management’s role in assessing and managing material risks from cybersecurity threats, including whether certain management positions or committees are responsible for assessing and managing cybersecurity risk and their relevant expertise,” companies may consider the organizational structure and operating model for those involved in cybersecurity broadly (e.g., beyond the IT organization, finance and legal).
• Because companies are required to disclose the “process for informing management about prevention, detection, mitigation and remediation of cybersecurity incidents,” written policies and procedures in these areas are recommended.

Policies, procedures and controls

• Companies need to consider the policies they have in place to support the disclosures, such as those included in NIST 800-53 or ISO 27001. 
• As it relates to employees, companies may consider updating their codes of conduct and whistle-blower/speak up policies to make sure they specify requirements for employees to report incidents, including a definition of what reporting is required under certain scenarios. 
• To support completeness of incidents, companies may consider updating their disclosure committee charters to incorporate cyber incident reporting into the responsibilities of executive management and through the representation letter process that supports current SOX Section 302 controls. As companies review the defensibility of their cybersecurity programs and management’s responsibilities for controls and procedures under Section 302, considerations around documenting execution protocols, including roles and responsibilities, for all relevant policies are critical for compliance. 
• Companies may consider enhancing entity-level controls by incorporating specific cybersecurity language into each entity-level control that aligns to each COSO principle. Some common examples may include:
  • Enhancing the disclosure committee entity-level control to incorporate cybersecurity considerations
  • Enhancing the code of conduct and whistle-blower/speak up program to incorporate cybersecurity considerations
  • Formalizing a control around the annual tabletop incident response exercise
  • Enhancing the control over policy governance to include cybersecurity policies
  • Including the cybersecurity risk assessment into the overall risk management framework and related controls

What the rules say regarding risk management

With respect to risk management and strategy, registrants are required to disclose:

• The processes, if any, to assess, identify and manage risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including: 
  • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes
  • Whether the registrant uses assessors, consultants, auditors or other third parties in connection with such processes 
  • The processes in place, if any, to oversee and identify risks related to the use of third-party service providers
• Whether risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition

Insights and observations regarding risk management

Many organizations have robust risk assessment programs to identify, assess, mitigate and monitor cybersecurity threats. We have compiled a few observations and related insights as registrants consider how to prepare for compliance and beyond:

• Even though the rules say registrants must disclose “the processes, if any,” when referring to the registrant’s risk assessment process for cybersecurity threats, we believe that performing a risk assessment creates a more defensible mechanism to determine how resources are allocated to preventive, detective and mitigating activities by both management and the board. Without narrowing down the potential population of cybersecurity threats to those that are the most critical, there may be an inappropriate and unreasonable expectation from stakeholders about the breadth and depth of preventive, detective and mitigating activities and the allocation of resources to these activities. This is consistent with the SEC’s views in several areas, including the application of internal controls over financial reporting where the level of evidence required for these controls is based on risk.
• Organizations may want to reconsider their risk management methodology and choose a standard framework for identifying, assessing, mitigating and monitoring risks, aligned with COSO or another acceptable framework. 
• Because the rules require companies to disclose risks from cybersecurity threats that are “reasonably likely to materially affect their business strategy, results of operations or financial condition,” companies may need to validate that the framework they use to define the potential severity of risks aligns with the SEC’s definition of materiality (e.g., vulnerability management assessment).
• From an external audit perspective, the auditor has a responsibility to read the disclosures and understand them. External auditors also need to make sure there is nothing in the disclosures that contradicts their understanding and what is documented in audit workpapers. However, the audit opinion does not directly cover the disclosure.

What the rules say regarding incident disclosure

The rules state that what constitutes materiality for purposes of determining whether an incident must be reported in a Form 8-K is consistent with the Supreme Court’s definition of materiality,¹ and registrants need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances of the cybersecurity incident, including quantitative and qualitative factors.

The rules expand the definition of “cybersecurity incident” to include “a series of related unauthorized occurrences,” which reflects the fact that cyber attacks sometimes occur over time (see Appendix B for SEC cybersecurity definitions). The rules say that the Form 8-K requirement could be triggered even if the material impact to the registrant is caused by a series of individually immaterial related cyber attacks.

Insights and observations regarding incident disclosure

Many organizations have cyber incident reporting programs to identify, assess, mitigate and monitor cybersecurity threats. However, in 2020, of the 74,098 Form 8-K filings involving 7,021 filers, only 40 filings reported material cybersecurity incidents. Below we have compiled observations and related insights as registrants consider how to prepare for compliance and beyond:

As companies consider developing or refining their materiality assessment and reporting processes, they may consider the following:

• Assembling the right cross-functional team (IT, finance, legal, etc.) and defining key roles and responsibilities
• Leveraging existing materiality policies or practices, if any, and/or other materiality framework tools
• Documenting policies and process flows as part of the organization’s disclosure controls and procedures — having a well-established understanding of how materiality assessments will be conducted will be critical for companies to comply with the new rules
• Designing a process to identify incidents, including defining “related” unauthorized occurrences to track and monitor for materiality
• Updating or establishing incident reporting policies and procedures with established criteria, including defining the severity of incidents and implementing processes for escalating to management to make timely materiality decisions
• Establishing quantitative and qualitative factors (e.g., cost categories) necessary to make materiality assessments, including necessary data inputs and assumptions to make estimates
• Implementing processes to accumulate the necessary information to timely report incidents within four business days

Materiality assessments may be challenging for companies, and frameworks may need to be developed to consider:

• The total mix of information, perhaps including qualitative and quantitative factors, such as those included in Staff Accounting Bulletin No. 99 
• Direct and indirect costs of the incident, including remediation, downtime, insurance, brand, reputational impact, intellectual property loss, and the internal and external costs associated with the investigation itself

What constitutes materiality for purposes of determining whether an incident must be reported in the Form 8-K would be consistent with the Supreme Court’s definition of materiality. This would include considering whether an incident is material because “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, and/or if it would have “significantly altered the ‘total mix’ of information available.”

The SEC noted that Form 8-K Item 1.05 does not specify whether the materiality determination should be performed by the board, a board committee, or one or more officers. The company may establish a policy tasking one or more persons to make the materiality determination. Companies should seek to provide those tasked with the materiality determination information sufficient to make disclosure decisions. Many organizations are considering establishing cross-disciplinary evaluation or other committees that consider the materiality of information, and these committees would participate in these assessments, along with cybersecurity specialists and external securities counsel.

As companies think about qualitative considerations for materiality, one or more of the following qualitative examples may trigger filing a material cybersecurity incident Form 8-K with the SEC: 

• Press release(s) describing the incident and/or impacts
• Ransom payment
• Notified by law enforcement or a third party of loss of information or control (e.g., FBI)
• Notification of board by management 
• Notification to regulatory authorities 
• Customer notification(s)
• Supplier notification(s) (e.g., a key supplier discloses a material event and the company’s investors know the company is highly reliant on the supplier) 
• Impaired ability to produce a product or deliver a service over a period of time due to the breach
• Competitive advantage lost or damaged, even if only temporarily
• Reputational or brand risk

We are seeing internal audit (IA) departments developing advisory programs to assess the readiness of management’s program for all required areas to assess the design of the program and provide findings related to compliance this year and recommendations for future periods. The output may include an assessment of the current state design, a prioritized list of recommendations, a risk control matrix to document current and future state operational and reporting controls, and an RACI (responsible, accountable, consulted and informed) matrix to help management better define roles and responsibilities across functions and within the consolidated group. As all SEC registrants must provide cybersecurity disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, IA departments performing a readiness assessment should begin procedures as quickly as possible. IA departments should make sure assessments are completed timely enough to allow management to implement recommendations before the ruling takes effect.

We believe this is a leading practice to support management as they work through the requirements. Additionally, it provides the opportunity for the IA department to suggest better practices to implement over time to enhance the program’s defensibility.

Appendix A – Summary description of the disclosure requirements

Appendix B – SEC cybersecurity definitions