Organizations should contemplate developing protocols, systems, and checks to ensure their capacity to swiftly evaluate the consequences of a cyber event, encompassing information gathering, escalation procedures, contemporaneous documentation, and, if warranted, public disclosure.
Check out our guide on what are the key takeaways and what you can do right now.
IMAGE - The emblem of the U.S. Securities and Exchange Commission displayed at SEC headquarters on June 19, 2015, in Washington. On July 26, 2023, the SEC implemented regulations mandating that public corporations must reveal any cyber breaches that could impact their financial outcomes within four days. Exceptions for postponement are possible in cases where instant disclosure could pose significant risks to national security or public safety. (AP Photo/Andrew Harnik, File)
In July 2023, the SEC introduced a fresh disclosure regulation pertaining to cybersecurity, which is applicable to all SEC registrants reporting in accordance with the Securities Exchange Act of 1934. This rule mandates prompt revelation of specific details concerning a cyber incident if its materiality is confirmed, commencing from December 18, 2023.
To summarize:
Materiality Standard Clarification: The SEC's final rule confirms that the materiality standard adopted by registrants aligns with federal securities laws and legal precedents addressing materiality.
Materiality Definition: The standard, detailed in the rule's adopting release, adheres to the Supreme Court's definition of material information. Information is material if it possesses a "substantial likelihood that a reasonable investor would consider it important" or if it would have notably impacted the overall information available.
Applying the Standard: To employ this standard in relation to a cyber incident, companies should be ready to objectively assess quantitative and qualitative factors, encompassing the incident's direct and reasonably expected effects.
Subjective Judgment: Determining materiality often involves subjective judgment, which benefits from an informed and thoughtful procedure. This necessitates effective collaboration among IT/security, finance, and legal departments within the company.
Informed Decision-Making: Those responsible for evaluating materiality, formulating responses, deciding on disclosure necessity, and crafting disclosure details should possess timely and accurate information.
Structured Incident Assessment: Organizations should establish a structured process to evaluate cyber incidents. This process initiates with information gathering and assessment by IT/security teams, followed by escalation to finance and legal teams responsible for SEC disclosures. Furthermore, this process should involve contemporaneous documentation of assessments, conclusions, rationale, and basis for decisions.
What's changed? What hasn't?
Revealing the presence of a significant cyber incident Is not new.
Previous interpretative guidance from the SEC in 2011 and 2018 underscored that disclosing material cybersecurity incidents and their consequences would generally necessitate adherence to existing SEC rules and regulations. The 2018 interpretive release, "Commission Statement and Guidance on Public Company Cybersecurity Disclosures," emphasized the necessity for robust disclosure controls and procedures enabling accurate and timely reporting of material events, including those linked to cybersecurity. The SEC's final rule underscored that registrants are already engaged in disclosing material cybersecurity incidents.
What's novel about the July 2023 regulation? It offers explicit guidance on the particulars of disclosing a significant cyber incident, including the details of what, how, when, and where such disclosures should take place.
The rule standardizes material cyber incident disclosure. It covers nature, impact, and timing, including financial effects. Qualitative factors are relevant too.
Disclosures must occur in 4 business days after materiality determination. Determination should be prompt after discovery.
Effective from Dec 18, 2023; smaller firms by Jun 15, 2024.
What factors should companies weigh in assessing materiality?
Is it necessary for a cyber incident to result in actual harm for it to be considered material?
Is there a requirement in the rule to combine insignificant cyber incidents when assessing materiality?
So what can we do?
Prioritize establishing a robust process for determining materiality within your organization. Avoid potential challenges by following these three key steps:
1. Organize a Collaborative Process:
Formulate a structured process involving crucial stakeholders such as the CISO, CIO, CTO, CFO and finance team, and General Counsel (GC) and legal team. This coordinated effort will test the effectiveness of communication and collaboration between these functional teams.
Clearly define the responsibilities of each team in materiality determination and incident disclosure. Foster cross-disciplinary knowledge sharing; the technical teams need materiality insight, while financial and legal teams require incident response and cyber strategy understanding.
Pose strategic questions to foresee the necessary processes:
What incidents would the company consider materially significant?
Which qualitative factors hold relevance for investors during a cyber incident?
How will the company evaluate the impact on a reasonable investor's perspective?
Define the information prerequisites for materiality determination:
Specify what relevant details should be communicated based on the incident's circumstances.
Ensure the CISO (or CIO, CTO) can promptly provide pertinent information.
Establish relationships with external experts if additional insights are required.
2. Secure Relevant Information:
Collect crucial information needed for materiality assessment, facilitated by the CISO (or CIO, CTO):
Identify essential information based on known and unknown facts of the incident.
Ensure swift provision of necessary data in a suitable format for determination.
Establish connections with third-party forensic firms if external expertise is essential.
3. Document Incidents Thoroughly:
Thorough and contemporaneous documentation is essential:
Record the process, involved parties, and conclusions reached, along with supporting bases.
Enable teams to produce factual and comprehensive documentation for incidents.
Prepare documentation in case the SEC requests insights.
By following these steps, your organization can establish a sound materiality determination process for cybersecurity incidents. This proactive approach will enhance coordination, streamline communication, and ensure your company is well-prepared to address materiality concerns and adhere to regulatory requirements effectively.
Want a head start in security?
How about a free Security Architecture Review
Commenti