Key takeaways: New SEC cyber risk management disclosure rules This blog post was authored by David Lehmann - Managing Director, Technology Audit and Advisory and Charles Soranno - Managing Director, Eastern Region Leader, Public Company Transformation on The Protiviti View.While the ink is still drying on many 2023 Form 10-Ks, Protiviti has reviewed a subset of the filings to gauge how firms are responding to the U.S. Securities and Exchange Commission’s (SEC’s) amended Cybersecurity Disclosure Rule adopted in July 2023.Our review included a sample of 2023 10-Ks that were filed subject to the new requirements, as well as a series of 8-K cybersecurity incident reports issued since the 8-K requirement went into effect in mid-December 2023. This element of the rule requires disclosure within four business days following the determination that an incident is material. This can include incidents that occur at a third-party organisation, as well as multiple incidents determined to be material in aggregate. However, this reporting window is subject to relief, as certain filing delays are permitted due to risks to national security or public safety.The SEC’s new cybersecurity disclosure rules are designed to require companies to provide investors with information that can help them better manage risk in their portfolio, given how costly and disruptive cybersecurity incidents can be to a business. According to the 2023 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3), potential losses from cybercrime surpassed $12.5 billion last year — a 22% increase from 2022 and a new record high.The following is an overview of some key takeaways from our analysis. Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance Form 8-K Filings: Differing Interpretations of the Materiality RequirementProtiviti’s analysis of cybersecurity incident-related 8-K filings reveals that companies are generally taking a conservative approach toward reporting cybersecurity incidents. That is, there is an apparent willingness to disclose incidents even when materiality has not yet been fully established. One might conclude from this early trend that registrants would rather err on the side of caution rather than risk not disclosing when — potentially later in hindsight — they should have. Registrants may also be considering that a generic disclosure will help them actively manage the public narrative when cyber events occur.When considering how materiality was described in these disclosures, many filers distinguished between operational and financial materiality while the rule itself focuses on a single concept of materiality that can incorporate both operational and financial elements (in addition to other factors). This trend in early 8-K cybersecurity incident disclosures may blur the critical question of materiality. Additionally, given this reporting trend, it is perhaps not surprising that there is often an absence in the descriptions of the material impact or likely material impact, although the SEC specifically calls out the need to describe the incident’s material impact or likely impact. We have already seen one filer that was reprimanded by the SEC for not following disclosure requirements.Avoiding vagueness in these disclosures to the degree possible is advisable, as it is likely that the SEC may request more information from some companies about the scope and impact of the cyber incidents they disclosed on Form 8-Ks. In one such case, a filer issued an 8-K amendment a day later clarifying its stance on whether the incident was in fact material, as its original filing was indeed vague on this point.Here is a closer look at several key findings from our qualitative analysis of recent Form 8-K filings:Timing and Nature of DisclosuresBroadly, the level of detail provided in 8-K cyber incident disclosures varies significantly. Some companies provide extensive information about the nature of attacks and their containment strategies. Others take a high-level approach, revealing information sufficiently general that it could apply to almost any cybersecurity incident, perhaps positioned so as to not provide a “road map” for potential bad actors to exploit.Since the SEC’s rule requires companies to report incidents within four days after determining an incident (or a series of incidents, in aggregate) is material, but does not require disclosing either when materiality was determined or how long registrants took to evaluate the incident (or series of incidents) to determine materiality, it is not currently possible to determine whether companies are reporting incidents “timely.”Incident Response and RecoverySome other notable takeaways from Protiviti’s evaluation of recent 8-K filings include the following findings related to incident response and recovery:Immediate actions: Companies generally described taking prompt actions — such as isolating affected systems and conducting forensic investigations — once an incident was detected.Engagement with authorities: Most companies reported that they had notified relevant law enforcement agencies and were working in collaboration with them as required.Communication protocols: Many of the disclosures we evaluated referenced specific communication protocols for internal reporting and external communication with stakeholders.Business continuity and recovery: Reports often mentioned activation of business continuity plans to minimise service disruptions. However, we found that details on the effectiveness of these plans or time frames for full recovery were frequently omitted.Form 10-K Filings: Most Firms Cite Cyber Response Readiness, But Many Cautiously Offer Few DetailsProtiviti’s evaluation of companies’ disclosures in Form 10-K filings found that almost all companies acknowledge cybersecurity as an important aspect of their risk oversight, although the level of detail provided in the filings varies widely. Most companies have at least one board-level committee charged with cybersecurity oversight; however, there is a notable split in the type of committee involved in that process — and it appears that the composition of many of the designed committees has limited cyber experience. While most companies said they assign this role to their audit committee, a significant percentage noted that they rely on other management-level committees, like risk or technology committees, which then report to the audit committee.As for management’s role in the oversight of cybersecurity risks, we found that almost all companies agree that identifying a functional leader for cybersecurity matters and providing periodic cybersecurity-related reporting to the board are critical practices. When it comes to disclosing the frequency of such reporting, however, we found that fewer firms included specific language about how often this reporting occurs.Additional findings from our review of companies’ Form 10-Ks are as follows:Cyber risk mitigation efforts: Nearly all companies referenced efforts to mitigate cybersecurity risks through established processes, procedures and systems. A smaller yet significant majority of companies disclosed alignment with external frameworks or standards. This is a positive trend, but it also suggests there is room for improvement in adopting recognised best practices.Response readiness: A strong majority of companies mentioned their readiness to respond to cyber incidents, including planning and recovery considerations. However, we found that nearly one-quarter of the companies reviewed are not explicitly discussing their preparedness strategies.External advisors: A significant portion of organisations reported that they use external independent advisors for cybersecurity matters. This could reflect an awareness that third-party expertise is beneficial or necessary for effective cyber risk management or incident response.Overall, our analysis of this subset of 10-K filings helps bring dimension to an evolving landscape where it seems most companies are taking positive, substantial steps toward instituting robust cyber governance practices. That said, it is evident that some areas remain open for further development or standardisation.An Opportunity to Optimise Cybersecurity Processes and ProgramsNow that companies are settling into the SEC’s new requirements, they will want to consider refining their approach to reporting and disclosures for future Form 8-K and 10-K filings. As with past “new disclosure” requirements, the SEC will likely become less tolerant over time about vagueness in this reporting, and companies can take notice of any comments and responses between the SEC and registrants regarding this disclosure.First and foremost, 10-K disclosures about a registrant’s cybersecurity governance and risk management programs must be rooted in fact and reflect operationalised processes, avoiding aspirational or planned improvements. The SEC’s response to SolarWinds’ chief information security officer’s lack of transparency about known cybersecurity risks and alleged failure to comply with the U.S. securities laws serves as a cautionary tale.As registrants continue to comply with the rule and as 10-K and 8-K disclosures naturally evolve and, perhaps over time, improve the alignment of disclosures with the intent of the rule, Protiviti recommends that companies take the opportunity now to further improve their cybersecurity risk management and governance practices, incident identification, response and reporting processes, and determination of incident materiality, among other aspects of the spirit and letter of the rule.Protiviti’s technology audit and advisory practice and cybersecurity consulting teams have worked extensively with clients to help them align their processes with this rule and avoid potential compliance pitfalls. Cybersecurity program assessments, internal audits, facilitated tabletop exercises, review of disclosures and incident response plan assessments are some of the key mechanisms we have used to help our clients improve their overall compliance posture. While the veil of uncertainty has, to an extent, been lifted with respect to what compliance with the rule looks like, we believe there is still significant room for improvement and alignment in how registrants are approaching compliance. Find out more about our solutions: Cybersecurity Consulting From the speed of innovation, digital transformation, and economic expectations to evolving cyber threats, the talent gap, and a dynamic regulatory landscape, technology leaders are expected to effectively respond to and manage these competing priorities. Security Program and Strategy We help you understand and manage the evolving cybersecurity and privacy risks you face, determine your readiness to address them, tailor your cybersecurity governance, and communicate effectively with stakeholders. Cyber Defence and Cyber Resilience Protiviti helps you prepare for, respond to, and recover from security incidents. When incidents happen, a trusted partner like Protiviti guides you through the process to help avoid costly pitfalls and recover as quickly as possible. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More Featured insights WHITEPAPER SIFMA’s Quantum Dawn VII After-Action Report The latest iteration of SIFMA’s biannual cybersecurity exercise focused on the outage of a critical third-party service provider. The simulation and concluding survey found many financial institutions are already experienced with the loss of a... BLOGS Developing a security function during a CISO’s first 100 days These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks,... INSIGHTS PAPER Mastering Data Dilemmas: Navigating Privacy, Localisation and Sovereignty In today's digital age, data privacy management is paramount for businesses and individuals alike. With the ever-changing regulatory landscape surrounding data protection, organisations must adapt swiftly to ensure compliance and maintain trust with... BLOGS Cybersecurity risk assessments vs. gap assessments: Why both matter This blog post was authored by Rob Woltering - Associate Director, Security and Privacy on the technology insights blog. As cybersecurity incidents continue to make headlines, whether involving the breach of sensitive information or the halting of... WHITEPAPER Private Equity and Cybersecurity – Gaining a Holistic View An emerging trend among private equity firms is their growing attention to the remediation, monitoring and reporting of cybersecurity capabilities of the companies in their portfolios. Historically, they have not fully appreciated the varying degrees... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... Button Button