Year one insights: SEC cybersecurity incident management disclosure rules This blog post was authored by Jim DeLoach - Managing Director, Host - The Protiviti View on The Protiviti View.What qualifies as a material cybersecurity incident? Can we estimate our potential losses and the effects of business disruption? What were our recovery costs? What longer-term remediation costs do we need to include in our 8-K incident report? How did our actions following the breach reflect the response readiness capability previously detailed in our most recent Form 10-K disclosure?These and other questions illustrate why complying with the U.S. Securities and Exchange Commission’s (SEC/Commission) amended Cybersecurity Disclosure Rule—which was formally adopted one year ago and effective for this past year’s annual reports and for cyber incidents occurring after December 18, 2023—requires deep and nuanced knowledge of cybersecurity, incident response, data governance, financial reporting, investor relations, regulatory compliance and risk management. This combination of expertise makes it imperative for CFOs and chief information security officers (CISOs) to collaborate closely, in part through two-way education. CFOs should school CISOs on materiality evaluations and reporting to the board, while CISOs can help finance chiefs better understand recovery costs, remediation efforts, single versus aggregate breaches and the nature of compromised data.Partnering closely with their CISO is one of several actions CFOs should consider to strengthen their cybersecurity disclosures, preparedness and incident evaluation process. Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance What We’ve Learned So FarAdopted last July and effective in mid-December, the SEC’s updated cybersecurity disclosure rule requires Form 10-K filings to describe 1) processes for identifying, assessing and managing material cybersecurity risks and threats and 2) the board of directors’ oversight role in assessing and managing cybersecurity risks. The rule also requires SEC registrants to issue an 8-K cybersecurity incident report when a breach (either a single attack or a series of incidents) is deemed to have a material impact to the business. An incident report must be filed within four business days of the company’s materiality determination.The nature of these requirements commands the CFO’s direct involvement and oversight, as well as the CISO’s expertise and engagement. Both executives should be clear about the threshold at which a cyberattack rises to the level of a material incident—and making this determination may require more frequent dialogue and collaboration. This means they need to agree on the materiality determination process. What the rules require, how we apply them, what information we need, who should be involved, who decides and how we ensure that the determination is reached within a reasonable time are questions best answered in the cool of the day rather than in the heat of the moment.It also means that these two executives must understand their personal accountability for contributing to accurate disclosures. This may be something new for the CISO and an area in which the CFO can provide guidance. In the aftermath of the SEC’s SolarWinds allegations, CISOs and other executives must presume that the Commission holds them as accountable for the accuracy of public filings as it does CFOs and CEOs.So, what precisely is the SEC looking for in these filings? We’ve taken a close look at recent cybersecurity disclosures. Our analysis of these disclosures, and the SEC responses thereto, indicates the following:Companies are generally taking a conservative approach. In reporting cybersecurity incidents, we’re noting an apparent willingness of some registrants to disclose incidents even when materiality has not yet been fully established—they’re apparently erring on the side of caution rather than risking not disclosing when, later in hindsight, they should have. With respect to these voluntary disclosures, the SEC staff recently encouraged registrants to disclose such incidents under a different item of Form 8-K, such as Item 8.01 (Other Events), to avoid diluting the value of Item 1.05 disclosures (Material Cybersecurity Incidents) and potentially creating investor confusion. Of course, a second Form 8-K would be required if the registrant subsequently determined that the incident is material, in which case the disclosure would fall under Item 1.05. In such instances, the registrant may refer to the earlier Form 10-K filed under Item 8.01.The level of detail in 8-K incident reports varies. Some companies provide extensive information about the nature of attacks and their containment strategies. Others opt for a high-level approach, reporting information that could apply to almost any cybersecurity incident. Some companies generally described taking prompt actions—such as isolating affected systems and conducting forensic investigations—once an incident was detected. Most companies reported that they had notified relevant law enforcement agencies and were working closely with them as required. Many disclosures referenced specific communication protocols for internal reporting and external communication with stakeholders.The Commission doesn’t appreciate ambiguity. The SEC took one filer to task for vague language regarding materiality in an 8-K incident report that ran afoul of its disclosure requirements. We’ve also seen filers distinguish between financial materiality and operational materiality in their 8-Ks, despite the fact that the rule focuses on a single concept of materiality of which the SEC’s definition remains consistent. Reports often cited activation of business continuity plans to minimise service disruptions; however, details regarding the effectiveness of these plans or the time frames for full recovery were frequently omitted.10-K disclosures emphasise cybersecurity-related board reporting. Most SEC registrants agree that identifying a functional leader for cybersecurity matters and providing periodic cybersecurity-related reporting to the board are critical practices. Of note, although most companies cite their readiness to respond to cyber incidents, about one-quarter of the 10-K filings we reviewed do not explicitly describe preparedness strategies. While nearly all companies referenced efforts to mitigate cybersecurity risks through established processes, procedures and systems, a smaller yet significant majority disclosed alignment with external frameworks—which suggests there is room for improvement in adopting recognised best practices. Interestingly, a significant portion of organisations reported the use of external independent cybersecurity advisers, indicating that such third-party expertise is beneficial or necessary.How to Sharpen DisclosuresCFOs can produce better cybersecurity disclosures and help ensure their filings satisfy SEC requirements by taking the following actions:Cultivate mutually instructive CFO-CISO collaborations. These two executives should be joined at the hip to navigate the cyber disclosure rules minefield successfully. When completing an 8-K incident report, many CFOs will need CISOs to help them understand the nature of the attack, the type of data (personally identifiable information, valuable intellectual property, etc.) that was compromised, and the scope and difficulty of the recovery effort. CISOs will also need finance leaders to educate them about incident identification, response protocols and other aspects of cyber risk mitigation that SEC registrants must detail in their 10-K filings. In addition to coaching CISOs on materiality determinations and how cybersecurity incidents affect investor relations, CFOs should consider arranging for CISOs to participate in meetings of the board committee that oversees cybersecurity disclosures (typically a disclosure, audit or technology committee).Create a materiality framework for cybersecurity incidents. To date, many organisations have relied on existing approaches and concepts for determining materiality—often with subtle, cyber-related adjustments—to assess whether a cyber incident merits disclosure. While this approach has passed muster so far, more substantial adjustments likely are An effective cyber incident materiality framework should address a combination of financial, operational and technical considerations. It should also contain accurate estimates of recovery and remediation costs (both immediate and long-term) as well as context: A $20 million ransomware event has different impacts on a $100 million company versus a $10 billion enterprise. Whether an attack is a single incident or a series of connected, or aggregated, breaches over time also warrants consideration.Benchmark public filings. The SEC did not provide a template for the new cybersecurity disclosure requirements, and we’ve seen some cyber disclosure approaches already fall out of favor (e.g., differentiating between financial materiality and operational materiality). As companies continue to comply, their 10-K and 8-K disclosures will naturally evolve to better reflect the intent of the rule. As such, finance and information security leaders should track how other companies craft their disclosures. In addition to reading annual reports, CFOs and CISOs can monitor 8-K reports on incident trackers. Bottom line, this is a learning process, and it behooves the CFO and CISO to understand what’s working and what’sBolster cybersecurity risk management. As the regulatory spotlight on cybersecurity capabilities intensifies, CFOs should consider ways they can lead and contribute to efforts to improve cybersecurity risk management and governance practices and incident identification, response and reporting processes. This effort also should focus on more specific determinations of incident materiality, among other aspects of the SEC’s cybersecurity disclosure rule.Final thoughtsSome boards are adding directors with cybersecurity expertise (like the “financial reporting expert” on the audit committee), but the post-SEC cyber disclosure-rule trend has yet to be determined. A Heidrick & Struggles report noted that only 14% of new board appointments in 2022 had cybersecurity experience, a decline from 17% the previous year. With no data provided for 2023, the appointments during 2024 will be of interest when published next year.As with past requirements from the Commission for new disclosures, we expect the SEC staff to become less tolerant of vague language, generic boilerplate discussions and other disclosure practices that run counter to the letter and spirit of its rules. This makes it imperative for the CFO to build a strong partnership with the CISO and establish clear guidelines and processes for defining, identifying, responding to and reporting material cyber incidents in 8-K and 10-K filings.This article originally appeared on Forbes CFO Network. Find out more about our solutions: Cybersecurity Consulting From the speed of innovation, digital transformation, and economic expectations to evolving cyber threats, the talent gap, and a dynamic regulatory landscape, technology leaders are expected to effectively respond to and manage these competing priorities. Security Program and Strategy We help you understand and manage the evolving cybersecurity and privacy risks you face, determine your readiness to address them, tailor your cybersecurity governance, and communicate effectively with stakeholders. Managed Security Services and Security Operations Protiviti helps you mitigate risk and optimise processes while simultaneously sustaining business operations. We do this by applying scalable, contractual services delivered by highly skilled security resources. Cyber Defense and Cyber Resilience Protiviti helps you prepare for, respond to, and recover from security incidents. When incidents happen, a trusted partner like Protiviti guides you through the process to help avoid costly pitfalls and recover as quickly as possible. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Hanneke Catts Hanneke is a director in Sydney with over 15 years’ experience focusing on technology consulting, including privacy, technology risk, project management and assurance, IT controls and security compliance, enterprise risk management, and internal audit and regulatory ... Learn More Featured insights WHITEPAPER SIFMA’s Quantum Dawn VII After-Action Report The latest iteration of SIFMA’s biannual cybersecurity exercise focused on the outage of a critical third-party service provider. The simulation and concluding survey found many financial institutions are already experienced with the loss of a... BLOGS Developing a security function during a CISO’s first 100 days These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks,... INSIGHTS PAPER Mastering Data Dilemmas: Navigating Privacy, Localisation and Sovereignty In today's digital age, data privacy management is paramount for businesses and individuals alike. With the ever-changing regulatory landscape surrounding data protection, organisations must adapt swiftly to ensure compliance and maintain trust with... BLOGS Cybersecurity risk assessments vs. gap assessments: Why both matter As cybersecurity incidents continue to make headlines, whether involving the breach of sensitive information or the halting of an enterprise’s operations,cybersecurityrisks remain top of mind for many organisations. To this end,... BLOGS Tackling gender bias: Women in cybersecurity Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be... WHITEPAPER Private Equity and Cybersecurity – Gaining a Holistic View An emerging trend among private equity firms is their growing attention to the remediation, monitoring and reporting of cybersecurity capabilities of the companies in their portfolios. Historically, they have not fully appreciated the varying degrees... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... FLASH REPORT New White House Cybersecurity Strategy Creates Additional Concerns for Businesses The White House recently released a comprehensive national cybersecurity strategy that is sure to have a major impact on government agencies as well as private businesses. The Biden-Harris Administration has been percolating a comprehensive... Button Button