The US Securities and Exchange Commission’s (SEC) breach disclosure rules have placed increased responsibility on the CISOs of publicly traded companies in the reporting of cybersecurity incidents and risks.The SEC’s latest disclosure rules, which went into effect in December 2023, require listed companies to report any cybersecurity incident determined to be material via Form 8-K within four business days. Other changes mean the SEC requires a lowdown on cybersecurity risk processes and board oversight as part of Form 10-K fillings.The revised rules have put CISOs under increased scrutiny, potentially exposing them to personal liability for either cybersecurity failures or misleading disclosures.These concerns are far from academic. Recent cases, such as that of SolarWinds’ Tim Brown, have highlighted how senior security staff can face legal actions over alleged corporate reporting failures about cybersecurity practices at listed companies.To underline how complicated SEC compliance can get, four years after the SolarWinds breach the SEC charged four companies over their handling of the software supply chain attack, stating they each made “materially misleading disclosures regarding cybersecurity risks and intrusions.” A requirement to report significant cybersecurity incidents is not new but changes in how the process works increase the involvement and responsibilities of CISOs in the disclosure procedure.The SEC defines a cybersecurity incident as an unauthorized occurrence or series of related unauthorized occurrences on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information they contain.Companies required to file disclosure reports with the SEC must report a material cybersecurity event within four business days of the date they determine the incident is “material to investors”.”Under the US federal securities laws, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision, or if it would have significantly altered the ‘total mix’ of information made available to investors,” says Scott Kimpel, a partner at US law firm Hunton Andrews Kurth.
What constitutes a materially impactful breach?
Determining what qualifies as “material impact” related to a security incident is complex since it requires assessing various factors such as financial loss, operational disruptions, reputational risks, regulatory scrutiny or potential legal fallout.Remediation efforts, legal fees, regulatory fines and any projected revenue loss all need to be factored into calculations of materiality. The extent to which the incident affects business continuity, supply chains, or service availability also needs to be considered.Each factor must then be considered and contributes to determining the overall materiality assessment which companies are expected to conduct “without unreasonable delay” following an incident’s discovery.”Basically, if an incident could change how investors view the business, it’s likely to be considered material,” according to Luke Dash, CEO of compliance experts ISMS.online.It’s important to note that materiality is not limited to financial or operational results, says Evan Roberts, co-head of cybersecurity and data privacy communications at FTI Consulting. “The SEC specifically cites ‘harm to a company’s reputation’ as a factor in determining materiality.”The requirement to report incidents without unreasonable delay means that listed companies must be “assessing materiality from the onset of an incident and throughout its lifecycle”, Roberts says. “This process should also be rigorously documented, both when it is initiated and throughout the incident response process.”
What factors need to be considered when assessing the impact of a breach?
The SEC has cautioned that the analysis of a breach’s impact should not turn solely on financial or quantitative factors and that qualitative factors (less tangible) must also be considered.”According to the SEC, in the context of a cybersecurity incident qualitative factors include (but are not limited to) the potential: harm to reputation; harm to customer, vendor or other business relationships; negative impact on competitiveness; and litigation or regulatory investigations or actions,” Kimpel says.
Who decides whether a breach is material?
CISOs are key players in assessing the materiality of a breach, but the burden of assessing materiality needs to be made collaboratively by a suitably qualified team drawn from across multiple business departments.”Determining the material impact typically involves collaboration between IT, legal, finance, and executive teams,” according to James Eason, CRA practice lead at cybersecurity services firm Integrity360. “Those playing their part must be ready to act and be fully effective in doing so.”In effect, enterprises need a ready-to-go incident management response team drawn from senior management. “This necessitates clearly laid out and understood processes and procedures for the response,” Eason says.CISOs should ideally build relationships within that team prior to an incident, Roberts says, “so that if it does need to be activated, the process to evaluate and make a materiality determination follows a set playbook and with a sense of joint ownership among key leaders within the business.”
When does the clock start for breach notification?
The four-business-day reporting clock does not necessarily start when an incident is discovered, but rather as soon as a materiality assessment determines it’s something that potential investors ought to know about, and those must begin without the aforementioned unreasonable delay after discovery.”What constitutes ‘without unreasonable delay’ is harder to quantify,” according to Dash. “The SEC does not prescribe a set number of days, but the implication in their documentation is that delays should only occur if genuinely needed to gather additional information.”
Are there any legitimate reasons for delaying the disclosure of a confirmed breach?
Disclosure may be legitimately delayed in cases where the US Attorney General agrees that the breach presents a threat to national security or danger to the public; notification of this is to be submitted by the Attorney General to the SEC.”Aside from the procedural aspects, it’s worth noting that CISOs can be held personally liable for data breaches where it is deemed that they have responded inefficiently, or if it is evident that any cover up has taken place,” Eason says.
How can companies prepare themselves to meet the SEC’s incident disclosure rules?
CISOs and their colleagues face tight reporting timelines to be SEC-compliant and accountable to investors in the event of a breach or other security incident.”To achieve this timeline, a structured response process to gather facts, evaluate impact, and work with leadership to make an informed decision is needed,” Dash says.For many companies, leveraging ISO 27001’s structured approach to incident response can be invaluable in meeting this challenge, according to Dash. “ISO 27001’s framework helps teams establish and maintain detailed processes for managing incidents, assessing risk, and documenting actions in real time. This structure will not only help security leaders make timely materiality determinations but also mean they’re aligned with the SEC’s emphasis on swift, transparent reporting.”A blog post by management consultants PwC offers further advice on how security leaders can help reduce their company’s exposure to compliance risks and pre-prepare to meet the SEC’s breach disclosure reporting requirements.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3609804/what-cisos-need-to-know-about-the-secs-breach-disclosure-rules.html
