Security By Design- Part 4

Executive Summary

In my last blog post, we explored both the World Economic Forum “Global Risks Report 2023” and the “Alliance Risk Barometer 2023”.  A simple summation of both reports is:

• Cyber Insecurity / Cybercrime triggered Business Interruption is the most feared of all Risks.
• Cyber Connectedness is Pervasive
• Cyber Business Interruptions as a result are Pervasive and Impactful

I had planned in this post to explore the notion that we are all Risk Managers, taught by our parents and / or caregivers from the day we are born and to share perspectives on understanding Threats and creating a Threat Catalog.  However, I am going to deviate from my plans to provide you with a special update about the July 26^th, 2023, release by the Security and Exchanges Commission of their:

“SEC New Rules on Cybersecurity Risk Management, Strategy, Governance and incident Disclosure by Public Companies”.

Industry media has been ablaze since July 26^th with reactions to these new SEC Cybersecurity Rules.  There has been an immense amount of praise, as well as some disappointment, expressed about these new SEC rules.  There has also been a significant amount of disinformation published about these “RULES” by quick reactionaries who in my opinion rushed to publish something, perhaps too quickly without fully reading and digesting this SEC Rules release.  So, let’s look at the new SEC Rules, because if you are involved in Cybersecurity and / or Risk Management, this is a big deal!

What is the SEC’s Goal in adopting their new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies?

The goal of these new rules is to improve public company disclosures concerning cybersecurity and to provide investors with timely and consistent cybersecurity disclosures to allow investors to make informed investment decisions.

From the SEC press release: The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.  The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.”

These new rules now require Annual Disclosure of a Registrant’s Risk Management, Strategy and Governance on FORM 10-K -ITEM 106(b).  Specifically, disclosure now requires a description of registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.

Materiality

A shift to “Materiality” as a trigger for disclosure will require management, cybersecurity, and risk management practitioners to better understand how the complex digital business systems of today’s companies contribute to business value as well as to systemic risk.

Disclosure of Cybersecurity Incidents on Current Reports (Form 8-K) ITEM 1.05:

The trigger date for disclosure is changed to four days from when a registrant determines the incident to be material as opposed to discovery.

Disclosure needs to reflect the impacts of a material cybersecurity incident or reasonable likely material impacts, within four days from when it is determined to be material.

Guidance is provided as to materiality, which is consistent with securities case law.  The burden to determine materiality is up to the registrant issuer / company reporting the incident.  Under existing case law, information is considered material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the total mix of information made available”.

Clarification that disclosure should describe the material aspects of the nature, scope and timing of the incident and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations.

Clarification that disclosure should include both qualitative factors, alongside quantitative factors in assessing materiality, to include but not be limited to:

• Harm to reputation
• Customer or vendor relations
• Competitiveness
• Possibility of litigation
• Regulatory investigations or action by U.S or non-U.S. authorities

Includes recognition that there may be false positives, and an incident originally thought to be material may not be.

Includes language that clarifies materiality disclosure to be disclosed “without unreasonable delay” to avoid issuers deliberately slowing a determination to avoid disclosure.

Recognition that a materiality determination necessitates an informed and deliberative process.

A new disclosure delay of up to 30 days where an incident poses a substantial risk to national security or public safety as determined by the Attorney General.

Systemic risk disclosure that includes material cybersecurity incidents on third-party systems the registrant uses and recognition that disclosure may occur by both the service provider and the customer, or one but not the other.

Clarified that there would be no impact on information sharing with other companies or government agencies about emerging threats, and clarification that a decision to share information does not itself necessarily constitute a determination of materiality.

Clarification that Form S-3 eligibility will not be impaired by an untimely Form 8-K filing.

Form 8-K delay of up to seven days for those subject to FCC notification rule for customer proprietary network information (CPNI).

No disclosure regarding an incident’s remediation status or if a remediation is ongoing.

No disclosure of specific technical information about a planned response to an incident or cybersecurity systems, related networks and devices, or potential system vulnerabilities at any level of detail.

No requirement for additional third-party incident inquires outside of regular channels of communication and third-party service provider contracts or normal disclosure controls and procedures.

No requirement that the materiality determination be made by the full board, a board committee or one or more officers, but by normal internal disclosure controls and procedures in demonstration of good faith compliance.

No new rule on insider trading during the materiality determination period.

Clarification that a data breach or compromise is not in and of itself disclosable, but is a factor in determining materiality, as are other incident types such as losses of intellectual property, reputational damage, or business value.

Disclosure about Cybersecurity Incident in Periodic Reports (Form 10-Q) ITEM 106:

Clarification that an updated incident disclosure should be made in a Form 8-K amendment, not on Form 10-Q

Annual Disclosure of a Registrant’s Risk Management, Strategy and Governance on FORM 10-K -ITEM 106(b):

Specifically, disclosure now requires a description of registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.

The disclosure focus is recast onto “processes” not policies and procedures to be less prescriptive on operational specifics which could be weaponized by threat actors and a belief that processes are a broader concept which more fully encompasses a registrant’s cybersecurity practices.

Expresses the expectation that the disclosure allows investors to ascertain practices, such as whether there is a risk assessment program in place, with enough detail for investors to understand the registrant’s cybersecurity risk profile.

Recognizes that processes also accommodate situations where there are not written policies and procedures.

Provides clarification that processes described should relate to material cybersecurity risks.

Disclosure should include how cybersecurity processes described are integrated with an overall risk management system or process.

Disclosure should include whether registrants engage assessors, consultants, auditors, or other third parties in connection with any such process(es).

Includes whether registrant has process to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

Clarification that the burden is on registrants to disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor.

Disclosure requires a description of whether any risk from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affect or are reasonable likely to materially affect the registrant, including its business strategy, results of operations or financial condition and if so, how.

Registrants must disclose management’s role in assessing and managing the registrant’s material risk from cybersecurity threats including disclosure of management positions of committees responsible for assessing and managing such risk and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of expertise.

Disclosure of the processes by which such persons or committees are informed about and monitor the prevention, detection and mitigation and remediation of cybersecurity incidents.

Whether such persons or committees report information about these risks to the board of directors or a committee or subcommittee of the board of directors.

New disclosures of the board’s role to describe its oversight of risks for cybersecurity oversight.

Disclosure if any board committee or subcommittee is responsible for cybersecurity oversight.

Requirement to provide description of the processes by which the board or such committee is informed about cybersecurity risks.

Removes disclosure of specific risk types to avoid the suggestion of prescribing cybersecurity policy.

Eliminates the disclosure of cyber risk prevention and detection activities, continuity and recovery plans, and information about previous incidents that have informed changes in policies and procedures or technologies in a step back from these details.

Removed disclosure of whether and how the board integrates cybersecurity into is business strategy, risk management and financial oversight.

Removed the requirement to disclose the frequency of the board or committee’s discussion on cybersecurity, while acknowledging that this is an observed leading practice.

Removed disclosure whether the registrant has a designated chief information security officer.

Definitions and Miscellaneous:

Cybersecurity Incident is defined as an unauthorized occurrence, including accidental occurrences not triggered by a threat actor.

Information Systems means any resources owned by or used by the registrant. 

Compliance dates:

• Annual reports for fiscal years ending on or after December 15, 2023. (ITEM 1.05)
• Current report Form 8-K and 6-K (foreign private issuers) 90 days after these rules are published in the federal register or December 18, 2023, whichever is later (ITEM 1.06)
• Smaller reporting companies have an additional 180 days with current reports due 270 days after the date of publication in the federal register or June 15, 2024.
• Foreign Private Issuers and XBRL (interactive data format) filings have parallel requirements for disclosures of material incidents on Form 10-F and Form 6-K.  Inline XBRL filings have a one-year delay for implementation.
• Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.