Cybersecurity Reporting Trends: Navigating SEC Regulations

Cybersecurity has rapidly become a paramount concern in corporate governance, fundamentally altering how publicly traded companies approach risk management and disclosure. The U.S. Securities and Exchange Commission’s (SEC) recent rules on cybersecurity risk management, strategy, governance, and incident disclosure have introduced new complexities into corporate reporting. Companies now face a critical challenge: meeting regulatory requirements while providing meaningful information without overexposure or unnecessary detail.

Effective December 15, 2023, the SEC’s regulations mandate proactive and reactive cybersecurity reporting. Organizations must annually disclose detailed information about their cybersecurity risk management and governance in Form 10-K. Additionally, if a material cybersecurity incident occurs, companies must report it in Form 8-K within four business days of determining its materiality.

Balancing the depth and breadth of these disclosures is no simple task. Under-disclosure risks non-compliance and potential enforcement actions, while over-disclosure could inadvertently reveal vulnerabilities or sensitive information. To better understand how peers are handling these challenges, organizations are analyzing SEC filing trends to extract actionable insights.

Cybersecurity Risks: Insights from 10-K Filings

An examination of approximately 5,800 Form 10-K filings (including amendments) between mid-December 2023 and April 2024 revealed that the healthcare, financial services, and industrial sectors were the most active. Notably, 80% of these filings contained fewer than 900 words dedicated to Item 1C: Cybersecurity Disclosures. This analysis suggests a trend toward concise reporting that focuses on essential information without overwhelming stakeholders.

Material Cybersecurity Incidents: Lessons from 8-K Filings

A review of 17 Form 8-K filings under Item 1.05 during the first six months following the new rules showed that companies are filing promptly and keeping disclosures succinct—averaging around 200 words. Most filings disclosed the incident detection date but noted that the financial impact was still undetermined.

Despite the requirement to report material cybersecurity incidents, many companies expressed uncertainty about the materiality of the incidents they reported. This tendency to report incidents even when materiality is unclear led the SEC to issue guidance in May 2024. The SEC recommended that non-material incidents be reported under different sections, such as Item 8.01 of Form 8-K, to prevent investor confusion.

Recent SEC Clarifications on Cybersecurity Disclosures

Adding another dimension to the disclosure landscape, Erik Gerding, Director of the SEC’s Division of Corporation Finance, provided further clarification on June 20, 2024. Companies had concerns about discussing cybersecurity incidents beyond the mandatory disclosures in Item 1.05 of Form 8-K.

Gerding clarified that while companies may engage in additional discussions, they must be mindful of Regulation FD (Fair Disclosure), which aims to prevent selective disclosure of material nonpublic information. He outlined scenarios where companies can share information without triggering public disclosure requirements:

• Immaterial Information: Sharing details that aren’t material.
• Non-Covered Persons: Communicating with individuals not covered by Regulation FD.
• Duty of Trust or Confidence: Engaging with parties obligated to maintain confidentiality.
• Confidential Agreements: Using nondisclosure agreements (NDAs) to protect shared information.

By carefully navigating these provisions, companies can manage disclosures effectively while maintaining compliance.

Striking the Right Balance in Disclosure Language

The SEC’s recent enforcement actions against several companies underscored the challenge of providing sufficient yet appropriate disclosure. On October 22, 2024, the SEC charged several companies with making materially misleading disclosures regarding cybersecurity risks and incidents. Penalties ranged from $990,000 to $4 million.

These companies were found to have either downplayed the extent of cybersecurity breaches or provided generic and misleading statements in their disclosures. For instance:

• Avaya Holdings Corp. minimized the incident by stating that only a “limited number” of emails were accessed when, in reality, the intrusion was more extensive.
• Check Point Software Technologies Ltd provided generic disclosures without acknowledging known intrusions.

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, emphasized that companies should not “further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

These enforcement actions highlight the importance of accurate and transparent disclosures. Companies must avoid both understatements and overgeneralizations that could mislead investors. The SEC’s actions make it clear that omissions and half-truths can result in significant penalties.

The Role of Integrated Risk Management (IRM)

Amid these complexities, Integrated Risk Management (IRM) emerges as both a strategic approach and a technological solution that can streamline the disclosure process, making it more efficient and accurate.

IRM is a comprehensive approach to managing risk that links disciplines related to Enterprise Risk Management (ERM), Operational Risk Management (ORM), Technology Risk Management (TRM), and Governance, Risk, and Compliance (GRC). By integrating these areas, IRM provides a unified view of the organization’s risk profile, enabling more effective decision-making. As a technology, IRM platforms integrate data from various sources, automate workflows, and provide real-time analytics and reporting capabilities.

How IRM Facilitates Better Cybersecurity Disclosures

1. Centralized Risk Data – IRM systems consolidate risk-related data across the organization into a single platform. This centralization ensures that all relevant information is readily available when assessing the materiality of a cybersecurity incident. It reduces the time spent gathering data from disparate sources, allowing for more timely and accurate disclosures.
2. Automated Workflows and Notifications – With IRM technology, companies can automate the workflows associated with incident response and disclosure. Automated notifications alert key stakeholders when a cybersecurity incident occurs, ensuring that the right people are promptly involved in the materiality assessment process.
3. Enhanced Collaboration – IRM platforms facilitate cross-functional collaboration by providing a shared workspace where IT, legal, compliance, and finance teams can work together seamlessly. This collaboration is crucial for developing a comprehensive understanding of an incident’s impact and crafting accurate disclosures.
4. Real-Time Analytics and Reporting – IRM solutions offer real-time analytics that help quantify the potential impact of a cybersecurity incident. By providing dashboards and reports that assess financial, operational, and reputational risks, IRM tools support more informed decision-making regarding disclosure obligations.
5. Regulatory Compliance Management – IRM platforms often include modules designed to track regulatory requirements and map them to internal controls and policies. This feature ensures that companies know their obligations under SEC rules and can demonstrate compliance during audits or investigations.
6. Audit Trails and Documentation – IRM systems maintain detailed records of all actions taken during risk assessments and incident responses. These audit trails are invaluable for demonstrating due diligence to regulators and can protect the company in the event of legal scrutiny.

Developing a Defensible Process with IRM

By integrating IRM practices and technology, companies can establish a robust, defensible process for assessing the materiality of cybersecurity incidents and determining appropriate disclosures.

• Materiality Playbooks within IRM Systems – IRM platforms can house materiality assessment frameworks, including rules and decision trees tailored to the organization’s risk appetite and regulatory obligations. This automation ensures consistency in how incidents are evaluated across the organization.
• Scenario Planning and Simulation – IRM tools can simulate the impact of various cybersecurity incidents, helping organizations understand potential outcomes before they occur. This proactive approach aids in preparing for disclosures and enhances overall cyber resilience.
• Continuous Monitoring and Improvement – The dynamic nature of IRM allows for continuous monitoring of the risk environment and the effectiveness of risk management strategies. Feedback loops within the system facilitate ongoing improvements to policies and procedures.

Taking Action: Leveraging IRM for Effective Cybersecurity Disclosures

To leverage IRM effectively in meeting SEC disclosure requirements, companies should consider the following steps:

1. Implement an IRM Platform – Adopt an IRM solution that integrates with existing systems and aligns with the company’s risk management framework.
2. Integrate Cybersecurity and Regulatory Compliance – Ensure the IRM platform encompasses cybersecurity risk assessments and regulatory compliance tracking to provide a comprehensive view.
3. Train Cross-Functional Teams – Educate stakeholders on using the IRM system, emphasizing collaboration between IT, legal, and finance departments.
4. Automate Reporting Processes – Utilize the IRM platform’s reporting capabilities to generate disclosure documents that are accurate and compliant, reducing the likelihood of omissions or errors.
5. Monitor Regulatory Changes – Keep the IRM system updated with the latest regulatory requirements to ensure ongoing compliance and readiness for any changes in SEC rules.
6. Engage in Continuous Improvement – Regularly review and refine risk management and disclosure processes within the IRM framework to adapt to new threats and regulatory expectations.

Moving Forward with Confidence

Navigating the SEC’s cybersecurity disclosure requirements is undeniably challenging, but it’s a challenge that can be met head-on with the right tools and strategies. The recent enforcement actions are a stark reminder of the consequences of misleading or inadequate disclosures. By adopting Integrated Risk Management as both an approach and a technological solution, companies can streamline the disclosure process, making it more efficient and accurate.

IRM facilitates better collaboration, ensures timely access to critical risk data, and supports compliance with regulatory obligations. This comprehensive approach not only aids in meeting SEC expectations but also strengthens the organization’s overall cybersecurity posture.

As cybersecurity threats evolve, so must our strategies for managing and disclosing these risks. Leveraging IRM allows companies to transform compliance hurdles into opportunities for building trust with investors and the broader market. It’s about confidently moving forward, knowing that your organization is well-prepared to meet regulatory demands while effectively managing cyber risks.