As we approach nearly one year since the SEC’s final cybersecurity disclosure rules were announced in July 2023, companies are still struggling to implement best practices for their cybersecurity programs. An AuditBoard survey of over 300 security leaders conducted in January 2024 found many executives are still in the initial stages of conducting gap assessments, assigning responsibility for remediation, establishing standards for determining materiality, creating new disclosure processes, and implementing technology.
In May 2024, AuditBoard and KPMG hosted a webinar featuring speakers Mihai Liptak, U.S. Service Co-Lead, Risk Quantification at KPMG, and Matt Johnson, National Tech Assurance Leader, Audit at KPMG. In this session, they discussed the top challenges companies are experiencing in relation to the new rules: determining materiality, disclosing in the right amount of time, and ownership of remediation activities. In addition, our speakers discussed solutions for overcoming these challenges and laying the groundwork for a robust cybersecurity program. Missed the webinar? Continue reading below for our biggest takeaways.
Summary of Major Changes
On July 26, 2023, the SEC adopted new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies. These updates were meant to enhance cybersecurity preparedness and improve resilience against cyber threats and attacks.
- Major incidents need to be reported in 4 days from the time of determination, which will require the review and restructuring of incident response run books and plans.
- Major incidents will require a notification filing through 8-k, which will need involvement from legal and regulatory personnel for the framework to file, and revamp of existing processes.
- Reg S-K edits will require changes for the processes employed to protect the organization from incidents, and how the organization “controls” Cyber Risk.
How Organizations Are Responding
Nearly 40% of webinar attendees in May 2024 indicated their organization’s preparedness for the SEC cybersecurity disclosures has increased over the last six months.
Even private financial services companies who do not fall under the scope of the new rules are being affected by similar changes. For example, New York State’s Department of Financial Services’ (NYDFS) cybersecurity regulation has reporting requirements for cyber incidents that closely parallel the SEC’s.
“Whether you fall within the defined scope of the SEC’s requirement or not, there is a clear trend that this new ruling will shape how good governance is ultimately viewed,” says Matt. “So regardless of whether you are required to comply or not, taking the approach of viewing these new rules as an opportunity to assess how your organization’s cybersecurity capabilities and overall posture stands up to these requirements is a good idea.”
“From what we’ve seen, most organizations want to stay in the middle; they don’t necessarily want to be at the forefront, but they don’t want to be laggards either. But that middle will shift as more agencies come out with similar requirements globally — increased enforcement and governance will lead to a higher standard overall,” says Mihai.
Top Challenges Related to the New Rules
1. Determining Materiality
The most common challenge of the new ruling is determining materiality of incidents. Nearly 40% of webinar attendees ranked determining materiality the most challenging element of the SEC’s new rules. This is because the SEC is not prescriptive in defining what is material in the rules. Furthermore, material events vary in significance depending on the company. For instance, a cyber event causing one manufacturing site to go down might be manageable for a company with multiple sites, as operations can continue at the remaining locations. However, for a company with only one site, the same event could halt all operations, preventing order processing and shipment. “The magnitude of the impact is really what we’re talking about here. How big of an impact is the event? That’s going to drive whether something is material or not,” says Matt.
Leveraging risk quantification frameworks like the Factor Analysis of Information Risk (FAIR) Materiality Assessment model can be tremendously helpful in helping organizations estimate probable material loss from new or evolving cybersecurity incidents.
The following are examples of types of cyber events that could be material:
- Unauthorized incident that compromises the confidentiality, integrity, or availability of data, system, or network.
- Unauthorized interruption or loss of control of operational technology systems
- Unauthorized access resulting in alteration or loss of sensitive business information, personally identifiable information, or intellectual property, resulting in loss or liability
- Data extortion and threat to sell or publicly disclose sensitive company data
- Ransomware attack
2. Disclosing in the Right Amount of Time
Regulatory bodies are being very prescriptive about reporting material cybersecurity events. A commonly asked question is: “How can we put out a notification of an incident 4 days after it occurred?” This is actually a common misunderstanding, as the requirement is not to disclose 4 days after you’ve identified the incident in a scan, but rather 4 days after you’ve determined the event is material to the business.
Another challenge is the rules do not exempt third party systems that your company uses. This means that when a third party has a breach, they must go through the process of escalating and assessing the breach and then formally notify your company of the incident. At that point, your company must assess the impact of this third-party breach on your organization. If it is determined to be material, your company then has four days to report the incident.
That said, in order to disclose a material event in a timely manner, it is critical to have the proper triage and escalation processes and people in place for when a cybersecurity incident occurs.
“When there is a major event, you have to go through the exercise of understanding what that event actually cost the organization,” says Mihai. “The better and faster you can perform these escalations, the easier it will be to determine what is material, what is not, and what actually needs to get filed.”
3. Ownership of Remediation Activities
The more functions that are involved and weighing in on a cybersecurity incident, from legal to audit to IT, the more challenging it can be to understand who owns what remediation activities. “A commonly asked question we receive is: ‘How do you engage the various functions to understand the breadth of considerations when it comes to determining materiality?’” says Matt.
“When there is an incident, it’s usually the cybersecurity team that analyzes what happened and starts to disseminate the information out to the organization. Internal audit has an obligation to review the event, but usually, this post-assessment occurs after the event is declared material,” says Mihai.
Confusion over remediation ownership can be prevented by clearly defining roles and responsibilities in the escalation process. Legal and finance teams are the teams most commonly responsible for final review when preparing disclosures, while audit, risk, compliance, and InfoSec teams commonly have input into the disclosures. However, this will look different for every organization.
“What it comes back to is good governance, clearly defined roles, and the interaction between various functions that are involved, e.g., legal, IT, media relations, and other business groups. The cohesion between these groups is what’s going to help you come to the determination of a material event,” says Mihai.
Utilizing the New SEC Rules to Elevate Cybersecurity Capabilities
The new SEC rules have ignited a broader conversation about good governance, extending beyond public companies to influence private sectors as well. This trend underscores a universal shift towards higher standards and greater accountability in cybersecurity. Organizations are seizing this moment to reassess and elevate their cybersecurity capabilities to ensure compliance, whereas forward-thinking organizations are leveraging these new requirements to innovate and lead rather than just comply. This proactive approach not only strengthens their security posture but also enhances trust and confidence among stakeholders. Ultimately, the new SEC rules present a powerful incentive for organizations to achieve excellence in cybersecurity, setting a new benchmark for the industry.