November 20, 2023
In late July, the US Securities and Exchange Commission (SEC) enacted a groundbreaking ruling for the cybersecurity industry. Amid an increasingly risky cyber landscape, the new Ruling S7-09-22 requires all registrants to disclose material cyber incidents within four days of detection and provide a detailed description of their cyber risk and governance management programs.
Beyond its primary goal of enhancing transparency for investors, this regulation carries an extremely valuable side effect: the additional bonus of fostering a broader business market culture that invests in robust cybersecurity practices.
Still, much of the legislation's wording leaves room for interpretation when it comes to determining adequate disclosures. Moreover, there has been considerable criticism regarding the absence of mandated boardroom cyber collaboration and expertise.
Thankfully, however, a chorus of cybersecurity and legal leaders has emerged, providing their insights and invaluable advice for organizations now faced with these pivotal responsibilities. Their perspectives are crucial as security teams and board rooms must inevitably work together to build robust, clearly defined cyber programs and materiality thresholds.
Join Kovrr as we explore these experts' perspectives and embark on a comprehensive journey through the most pressing components of the SEC's new laws.
Harvard Law School Forum on Corporate Governance, Read Here
This summary article unravels the SEC's new rules to enhance cybersecurity transparency for public companies and highlights the key takeaways for organizations now subject to compliance. The article delves into the intricacies of governance reporting for Form 10-K and incident reporting on Form 8-K and provides insights on how to begin to determine materiality.
The Harvard Law School Forum experts offer counsel on how companies can prepare for the disclosures, emphasizing updated incident response plans, enhanced controls, and proper record-keeping. The article also outlines a roadmap for public companies toward robust cybersecurity risk identification, assessment, and management processes that are now required.
The first step for any corporation charged with these new rulings is to develop a clear understanding of what, specifically, is being required.
Wall Street Journal, Read Here (Subscription Required)
Since the latest SEC regulations were released, determining what constitutes materiality has been a hotly debated topic in the cybersecurity space. The Wall Street Journal explores why the governing body's ambiguous definition can be problematic for incident reporting. The article also discusses why the four-day time frame has caused such a harsh backlash.
Critics argue that the fallout from cyber attacks most likely will not be apparent immediately and that what seems immaterial on day four may be material by day ten. There is also a concern that organizations will be prosecuted too harshly under these circumstances. Only time and incident disclosures will be able to offer more insights into what the SEC believes to be the proper definition of a material impact.
Meanwhile, organizations must internally develop a clear and explicit framework that defines what materiality looks like for them, incorporating the relevant quantitative and qualitative components.
Bloomberg Law, Read Here
Bloomberg Law also highlights the broad interpretations the SEC left room for regarding "materiality" and "reasonable investor" and leverages industry standards, such as those included in HIPAA and GDPR, to make more sense of the ambiguity.
Materiality is the threshold at which organizations become legally obligated to report the impacts of a cyber event. However, this level is unique to each business and should be evaluated accordingly. The article incorporates legal precedent to offer insights into how the US has previously addressed materiality in court cases.
A "reasonable investor" can legally be equated to a reasonable person who "exercises qualities of...judgment...for the protection of their interest." This definition implies that the information being disclosed should be relevant enough that an average or "reasonable" investor, who may not have an in-depth knowledge of cybersecurity matters, would consider it significant when making investment decisions.
The article ultimately serves as a tool for CISOs and boardrooms who are confused about where to start when defining event materiality, offering vital background information.
Information Systems Security Association Journal, Read Here
This comprehensive research offers the most explicit industry definition of materiality so far, significantly supporting organizations grappling with determining materiality in the wake of this highly consequential ruling.
The article proposes the Freund-Jorion Cyber Materiality Heuristic, which, after assessing multiple data points and case studies, determines materiality as 0.01% of an organization's prior year's revenue, equating to approximately one hour of revenue.
The quantified benchmark offers companies a clear understanding of what may be considered a materially impactful event, enabling leaders to disclose the necessary details on an 8-K confidently. As the article aptly states, "Identifying material cybersecurity risks to enable one to report on the management process requires as a predicate an understanding of what a material cybersecurity risk is."
The research report also underscores the imperative for organizations to continually reassess and fine-tune their materiality criteria within the ever-shifting cyber frontier. It is a must-read for those seeking to navigate materiality disclosures in the digital era.
Financial Times, Read Here
The SEC's cybersecurity regulations have raised significant concerns about reporting redundancies. Last year, Congress plainly stated that the Cybersecurity and Infrastructure Security Agency (CISA) should lead the governmental crusade to combat malicious cyber attackers. Now, public corporations will be forced to report events to two authorities, creating unnecessary and convoluted overlaps.
Countless state-level federal agencies also demand registrants disclose cyber governance practices and material incidents, making this reporting process even messier. The underlying irony, of course, is that organizations will be too busy focused on compliance with fiduciary demands instead of investing resources into securing their cyber environments.
Further Reading on the Need for Governmental Cyber Alignment: Joint Comments on the Request for Information re: Cybersecurity Regulatory Harmonization. Read Here
Legal Dive, Read Here
Specialists voice concerns about the SEC's new cyber regulations, believing that it will lead to insurance companies writing policies that reduce coverage for Directors and Offices (D&O) should they be sued in the wake of a cyber attack.
Because the rules require organizations to disclose material cyber incidents within four days of recognition, D&Os may have difficulty providing the comprehensive details that may come to light much later in the aftermath.
The discrepancy between what's filed on the initial 8-K compared to the fully-fledged consequences could be leveraged by shareholders as grounds for legal action. This new risk is apparent to insurance providers, who will now be undoubtedly weary of the potential losses. The divide between cyber and D&O policies could widen, thereby impacting companies, increasing premiums, and adding new exclusionary terms.
This prediction makes it all the more critical for organizations to institute clear definitions of materiality well before an incident occurs and outline the precise measures they are taking to assess and mitigate cyber risk.
Forbes, Read Here
Initially, the SEC proposed to include a rule in the latest regulations that organizations must disclose whether they have a board member with cybersecurity expertise. However, at the eleventh hour, this stipulation was removed, rendering the board's accountability for cybersecurity governance uncertain. Furthermore, it undermines the notion that boardroom involvement in cyber discussions is anything but paramount.
The relationship between the Chief Information Security Officer (CISO) and the boardroom is a crucial factor in generating a robust cybersecurity program and fostering a culture of cybersecurity awareness. Because of the SEC's last-minute removal, CISOs may need to make an extra effort to advocate for board reform. They may also need to consider solutions that can translate technical cyber terms into broader business objectives.
When board members, cybersecurity leaders, and other C-suite executives can discuss cyber risk in a common language, the organization will be better equipped with data-driven resiliency programs.
Forbes Technology Council, Read Here
Although the new SEC ruling has garnered significant backlash, it can also be recognized as an essential step toward improving cybersecurity. There will undoubtedly be challenges, but as the article stipulates, organizations will ultimately adopt more comprehensive cybersecurity postures that emphasize asset intelligence and provide high-end resilience plans for managing material risk.
This article further advocates the benefits of the latest US cyber legislation, arguing that it will promote continuous improvement and allow organizations to concentrate on real threats, prioritize operational controls, and ensure that security measures are in place and functioning effectively.
Cybernews, Read Here
Less than a month after the SEC passed its tightened cybersecurity laws, Clorox became the first corporation to file an 8-K form after the SEC's July cyber rulings, alerting the regulator that it had experienced a material cyber incident.
The disclosure was filed within the required four-day reporting period but lacked crucial information, such as the specific type of attack the company suffered. The lack of details led to Clorox filing a second 8-K a month later and a third in early November.
Many have considered this incident as proof of the confusion the SEC's definition, or lack thereof, of materiality has caused. The event has even prompted other companies to rethink their cyber programs vis-a-vis determining material impact and what details they should add to disclosures when required.
Lexology, Read Here
MGM Resorts International and Caesars Entertainment also experienced significant cyber attacks that materially disrupted operations. In line with the new rules, MGM promptly filed an SEC Form 8-K disclosing the incident. However, the disclosure provided limited information, mainly referencing a press release and offering few details about the nature of the breach.
Caesars' 8-K filing, although submitted more than four days after identifying the breach, provided extensive information. These cases highlight the challenges companies face when dealing with cybersecurity incidents. They must navigate a complex landscape, which includes, on top of combatting the attack, ensuring compliance with various legal disclosure requirements, and preparing SEC Form 8-K filings.
CISOs face an incredibly challenging and delicate balancing act when it comes to reporting material cyber incidents, as per the SEC's latest rulings. On the one hand, these cyber leaders are tasked with reporting as much as possible to fulfill legal obligations. At the same time, they have to avoid sharing details that would provide potential attackers valuable insights about their threat landscape and defenses.
This undertaking is exacerbated by the fact that, as demonstrated with Clorox's 8-K, the initial incident consequences are unreliable and highly subject to change as the investigation unfolds. As such, CISOs are advised to report solely on what they are reasonably confident about, focus on tangible and measurable impacts, and maintain simplicity in their disclosures. They should also be in regular communication with the board and legal counsel.
The SEC’s latest regulations on cybersecurity governance, risk management, and incident disclosures have prompted substantial debate within the cybersecurity community. However, after sifting through the experts’ perspectives, there are a few overarching themes that emerge.
These key takeaways make it apparent that organizations must adopt the tools that translate cyber risk into broader business terms, allowing all relevant stakeholders to participate in materiality discussions. Ultimately, when cybersecurity leaders and higher-level executives can work together using a common language, the organization will be much more prepared to face material events.
Kovrr is the first cybersecurity vendor to release a solution that helps companies develop unambiguous definitions of material loss, arming them with the data-driven insights necessary to facilitate board discussions, stay ahead of the most damaging cyber incidents, and provide timely, detailed disclosure.
For more information on Kovrr’s Cyber Materiality Report and leveraging financially quantified insights, schedule a free demo with one of our risk experts today.
Kovrr, Read Here
October 31, 2023
Learn how CRQ can ensure you have the funds to protect your organization against the rising global cost of cyber attacks.
October 25, 2023
Explore the vital role of assessing third-party risks when defining your cyber risk appetite