Decrypting cyber disclosure
With new rules for reporting on cybersecurity set to be announced in April, Tom Brown, Consultant at Bladonmore, talks about the coming changes and how to prepare for them.
The threat posed by hackers and other cyber-enemies has kept many an executive awake at night, picturing attacks from all directions. These cybersecurity concerns are rising dramatically and anxiety is most intense for senior leadership teams. In fact, a recent survey found that more than two-thirds of North American CEOs see cyber as the largest threat to their organisations’ future growth.
Given these worries you might expect a rise in reporting on cybersecurity disclosures from public companies. So far, that’s not been the case.
It’s no wonder, therefore, that the US Securities and Exchange Commission (SEC) is trying to increase disclosures around responses to incidents. Last March, the SEC proposed new rules that include mandatory disclosures about reporting cyber events and about boards’ oversight of cybersecurity risk more broadly.
According to the SEC’s regulatory agenda, made public in January, the final version of the cybersecurity disclosure rule will be released in April.
What are the proposed rules?
Here’s a quick overview of the new requirements proposed by the SEC:
- Within four business days of determining that a cybersecurity incident is material, companies need to disclose the incident in an 8-K (a report of unscheduled events that are material and that investors would care about).
- When individual incidents that were not material become material because they’re part of a larger pattern, companies must disclose the threat in both the 10-K (the annual report of financial performance mandated by the SEC) and the 10-Q (the quarterly equivalent of the 10-K).
- Cybersecurity policies and procedures and governance practices must be disclosed annually in the 10-K.
- The cybersecurity expertise of the board of directors must be disclosed.
What has the reaction been?
Reading the tea leaves on how a proposed rule will appear in final form is never easy. While many of the SEC’s rules go into effect as written, a few are scrapped and others are changed, sometimes dramatically.
As of early February, the SEC had received roughly 200 comments on its cybersecurity disclosure rules and the sentiments range widely.
There are worries over the wording leading companies to disclose incidents that aren’t meaningful or material. Some take exception to the timeline, saying that four business days to disclose could interfere with the primary obligation of solving the problems that the threat creates. A handful of comments say the SEC hasn’t gone far enough and needs to bring in rules around the extent of cybersecurity training provided to management and staff.
The media’s scrutiny and response has been no less intense. A post on the Lawfare blog worries that hastily disclosing a risk could jeopardise law enforcement’s efforts to investigate a crime that’s taken place.
How can you prepare?
With changes coming soon and uncertainty around precisely what they’ll look like, what can public companies do to prepare? A good place to start is by revisiting how you’re telling your governance story.
The SEC’s proposal underscores what’s often a glaring omission: companies don’t reveal who on the Board is keeping an eye on cyber-risks. Investors want to know who is responsible. They also want to understand how these risks are being managed. They want to hear how often the Board convenes to talk about cybersecurity and they want to understand how and when risks or breaches are shared with the Board.
Given the increased focus, it’s also an excellent time to ensure that your board’s disclosure committee is up to speed on cybersecurity. Directors should equally be strengthening their relationships with key IT personnel to keep them informed about cyber threats in or near real time.
If you want to hear how Bladonmore can help you get ahead of regulations and prepare for the new SEC rules, get in touch.