Source: RSM US LLP.
ARTICLE
The Securities and Exchange Commission (SEC) on July 26 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as cybersecurity risk management, strategy, and governance information. While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management, and reporting processes to comply with the final rules.
The new rules come in response to an unrelenting cybersecurity environment, with more complex and challenging threats on the horizon. For example, 20% of respondents in the 2023 RSM US Middle Market Business Index Cybersecurity Special Report claimed their company experienced a data breach in the last year, and our team has seen breach activity escalating in recent months. In addition, 68% of survey respondents anticipate unauthorized users will attempt to access data or systems this year.
With attack methods continuing to evolve amid the increasing use of emerging technologies, including artificial intelligence, investors need to understand how threats and incidents can influence a company’s value. And this can be promoted through more consistent and clear reporting.
“You don’t want to get in the habit of reporting material incidents. You need to implement preventative controls and identify incidents early. That could enable you to manage an incident more appropriately and mean the difference in materiality.”
Matt Franko, Princiapal, RSM US LLP
Key considerations
The new SEC cybersecurity rules require a closer focus on three areas: oversight of cyber risks, cyber risk management, and disclosure of material incidents and risks. Larger public companies with established cybersecurity processes and resources can likely adjust existing roles and reporting to account for the new standards, but their smaller counterparts may need to adjust infrastructure and leverage alternative resource models such as managed services to meet compliance standards.
Oversight of cyber risks
The new rules seek to bridge the gap between corporate boards and cybersecurity leadership. SEC registrants (Form 10-K) and foreign private issuers (Form 20-F) must describe the board’s oversight of cybersecurity risks and management’s role in assessing and managing material threats.
Ultimately, boards must increase their oversight of cybersecurity risks and develop a governance culture that increases visibility into threats. The governance structure should provide defined roles that include security ownership and prescribe processes to inform the board and committees about emerging risks. IT controls should also be measured, monitored, and reported to further understand evolving risks.
Cyber risk management
Organizations must articulate their processes for assessing, identifying, and managing material risks from cybersecurity threats as a part of their annual 10-K reporting. The material effects of those risks on the company’s business strategy, operations, or financial condition must also be disclosed.
The SEC amended the final cybersecurity rules to remove a proposed list of risk types, hoping to avoid the perception that the rules prescribe cybersecurity policy. However, the agency sought to provide guidance by referencing risks such as intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, and reputational risk. Disclosures in Forms 10-K and 20-F are required beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
Periodic company-wide cybersecurity assessments are an essential part of the risk management process and are critical in addressing and documenting potential risks. Assessments help identify issues early to enable an organization to put controls in place before risks become material.
Disclosing material incidents
Organizations must disclose incidents that have a material or reasonably likely material impact using Form 8-K within four days after the company determines the incident is material. This requirement is effective beginning 90 days after publication in the Federal Register, or Dec. 18, 2023, but smaller companies will have an additional 180 days.
Determining materiality can be a challenge, as there is no specific guidance about what a quantifiable trigger is.
The impact on the company should be considered against quantitative and qualitative factors, including how a reasonable investor would view the incident.
Harm to a company’s reputation, customer or vendor relationships or competitiveness may be examples of material impact on the company, according to the final rules. The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, may also constitute a reasonably likely material impact on the registrant.
The final rules describe information as material “if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision.” This is consistent with the standard set out in cases addressing materiality in securities laws.
Meeting the demands of these rules requires an effective incident response program and cybersecurity risk management capabilities. The program should include plans to respond to and determine the materiality of specific incidents and provide details for how to respond to specific scenarios such as ransomware. Detailed threat simulations, or tabletop exercises, can provide practice with the plan and familiarize individuals with their defined roles within the program. A security monitoring strategy can also leverage technology to consolidate alerts across the organization.
In addition, a managed security operations center can identify and escalate incidents to your security and SEC reporting teams in a timely manner.
The key to compliance
Compliance with the final SEC cybersecurity rules will require a differing level of effort, depending on the extent to which a company has developed its cybersecurity and risk management processes. While the challenge may seem daunting to companies without comprehensive cybersecurity capabilities and incident response programs in place, compliance is achievable.
Ultimately, creating a holistic and sustainable cybersecurity risk management program that involves clear, consistent reporting, as well as increased oversight and involvement from the board, can help your company stay in compliance with SEC guidelines and protect it against material risks that could threaten the company.
This article was written by Matt Franko and originally appeared on 2023-08-11.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/understanding-and-addressing-new-sec-cybersecurity-rules.html
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.