Answering all your SEC cybersecurity rules-related questions.
Earlier this week, we debuted our mini-series on the SEC’s new cybersecurity rules.
In case you missed it — and, understandably, don’t have the bandwidth to backtrack — Part I explored how the (seemingly perpetual) explosion in data creation, data value, and IT complexity since the dawn of the digital age has come to shape our society. In particular, we note why these trends are responsible for our current IT predicament, namely, the rise in threats, risks, and regulations.
That, of course, brought us to the topic du jour — one that has spurred a great deal of conversation and confusion amongst our readers, customers, and partners: The U.S. Securities and Exchange Commission (SEC) and, more specifically, its recent adoption of “rules on cybersecurity risk management, strategy, governance, and incident disclosure.” Today, we will be completing our discussion on the SEC’s latest foray into cyber regulation with an in-depth examination of these new rules, covering everything from the basics to the gray areas to how we can help.
New Rules on the Block: The Basics
According to Michael Shandrowski, principal consultant at 11:11 Systems, the SEC’s cybersecurity rules can be divided into two provisions: Cyber Incident Disclosure and Risk Management, Strategy, and Governance Disclosure. Let’s, first, breakdown the basics for each — what they say and who they impact — before diving head-first into the weeds.
Cyber Incident Disclosure
The Cyber Incident Disclosure provision requires registrants — i.e. publicly listed companies who file paperwork with the SEC — to disclose the “occurrence of a material cybersecurity incident within four business days after the company determines the incident to be material.”
Domestic issuers must disclose such incidents in Form 8-K filings, while private foreign issuers disclose via Form 6-K filings. Critically, material incidents that occur on third-party systems are not exempt from disclosure. Registrants are required to disclose the following information about each incident (if known at the time of filing):
- The material aspects of the nature, scope, and timing of the incident.
- The material impact, or reasonably likely material impact, on the registrant; including its financial condition and results of operations.
According to Shandrowski, examples of an incident’s material aspects might be: the type of incident (data breach, ransomware, etc.), number of affected customers or users, amount of sensitive information or intellectual property compromised, timing of the incident, if the incident is ongoing or contained, and any delays or deficiencies in detecting or responding to the incident. Examples of material impacts could include: costs incurred, affect on forward-looking financial statements, insurance coverage, reputational or brand damage, fines, penalties or other regulatory consequences, mitigation cost factors, and plans or timelines for remediation.
Risk Management, Strategy, and Governance Disclosure
The Risk Management, Strategy, and Governance Disclosure provision requires public companies to make annual disclosures via their Form 10-K and Form 20-F filings about “their cybersecurity risk management, strategies, and governance.” This includes, but is not limited to:
- Disclosure of the processes (if any) for assessing, identifying, and managing material risks from cybersecurity threats.
- Describing how these processes are integrated into the organizations’ overall risk management system or processes.
- Describing the processes to oversee and identify material risks from cybersecurity threats, associated with use of a 3rd party.
- Describing the Board of Directors (BOD) oversight of risks from cybersecurity threats and managements’ role in assessing and managing material cyber risks.
New Rules on the Block: Critiques, Challenges, and Gray Areas, Oh My!
As you can see, even a surface-level overview of these rules leave a lot for organizations to consider and, potentially, a lot more for IT administrators, legal departments, and executives to do on an annual basis. They also present several key challenges and gray areas — paving the way for differing interpretations — which, in turn, muddy the water for those trying to maintain compliance and avoid penalties.
“Even now we’re seeing and hearing different interpretations being bandied about,” said Shandrowski. “Over the next couple years, we expect both the rules and our understanding of them to continue to evolve. However, we’ve done our due diligence and are confident we can provide customers, prospective customers, and partners with some much-needed clarity moving forward.”
Material Matters
Words, as everyone’s favorite English teacher (hopefully) once said, have meaning. Indeed, for as long as we’ve had the intelligence and ability to communicate with one another, there have been those devoted to deciphering (and enforcing) the true meaning of said communications.
From the Bible to the Constitution of the United States to Taylor Swift lyrics to the intention behind a simple, two-letter verb like ‘is,’ human beings have clashed — and will continue to clash — over the meaning behind certain words or phrases. This is noteworthy, of course, because how we choose to interpret certain words will then inform our thoughts, feelings, and, perhaps most importantly, our actions moving forward.
For our purposes, the author under the microscope (unfortunately) isn’t a deity, a founding father, the most powerful person on the planet, or even President of the United States, it’s — you guessed it — the SEC and their use of the word “material.” Seriously, what is a “material cybersecurity incident,” and how does one determine an incident’s materiality?
Based on his own expertise as well as ongoing conversations with those in the industry, Shandrowski refers to materiality, as the SEC would see it: “information which a reasonable shareholder would consider important when making an investment decision as well as information which a reasonable investor would view as having significantly altered the total mix of information available.”
So, for example, if you were an investor, what cybersecurity-related information would, if you possessed it, have the power to sway or influence whether or not you invested in a certain company? Answers will inevitably vary, but you’ll notice that, by this interpretation, a lack of quantifiable loss or harm does not necessarily disqualify an incident as immaterial. Therefore, key factors to consider in the assessment of cybersecurity incident materiality, according to Shandrowski, includes, but is not limited to:
- The likelihood of a cybersecurity incident occurring that could result in, or cause, a significant negative outcome.
- The impact of the cybersecurity incident — or, what is the potential significance of loss or the extent of harm (e.g., to individuals, customers, vendors, reputation, litigation, regulatory investigations, competitiveness in the market, business operations)?
Basically, the nature of materiality — and even the nature of the rules themselves — boils down to risk. How likely is it that something happens to your organization, and, if it does, what is the potential impact? In other words, how at risk are you? It’s no wonder the SEC featured the word “risk” so prominently in their official naming of the rules.
Disclosure Deadlines, Debates, and Detrimental Decisions
The uncertainty surrounding “materiality” bleeds into another common criticism of the rules: The cyber incident disclosure deadline. Since the SEC’s announcement, people have argued that four business days is simply not enough time to confirm a breach, understand its impact and potential materiality, and coordinate disclosures.
However, it’s also important to note that the SEC rules mandate the disclosure of material incidents within four business days after the company determines the incident to be material — opening up another can of worms entirely. Namely, if the definition of “materiality” is uncertain and the definition is key to the disclosure deadline then … how long do you actually have to report an incident?
Brian Majowicz, consulting engineer at 11:11 Systems, says this:
“The nature of materiality and the timeline for incident disclosures is certainly a major gray area. The SEC is not explicitly saying how much time you have to determine materiality, but what I believe they’re expecting is that you aren’t dragging your feet or stalling. They want you to be making a reasonable effort to figure it all out.”
Thus far, organizations have seemingly struggled to strike the right balance. Notable examples of botched and/or inefficient disclosures run the gamut. Since the rules took effect, Majowicz has heard of organizations filing disclosures without believing an incident to be material — “just to be safe” — as well as organizations who didn’t file and were then reported to the SEC by their attackers! He’s also heard of instances where the SEC learned of an incident via data scraping and then reached out to the impacted company, asking for proof of immateriality.
To combat this, Majowicz believes the best solution is — as you might’ve guessed — preparation.
“My recommendation would be to prepare yourself and your organization as best you can ahead of time,” he said. “You really want to have a good understanding of your data prior to ever having an event. Otherwise, when one inevitably occurs, you’re going to be in a scramble. The chances of making a mistake in that situation are much greater.”
You Talkin’ to Me? Will the Responsible Parties Please Stand up
Although the SEC’s rules primarily target publicly listed companies, they, technically, don’t stop there. Given the interconnected nature of our digital ecosystem, where large organizations often rely on smaller organizations for software, supply chain, and other services, the SEC was sure to include a stipulation in the Cyber Incident Disclosure provision requiring registrants to disclose material incidents that occur on third-party systems.
Therefore, third-party organizations — whether public or private — would be wise to familiarize themselves with the new regulations, while investing in cyber resiliency efforts of their own. The SEC’s previous willingness to stretch regulatory perimeters to private organizations should be a warning to all companies, especially where cybersecurity is involved.
The new SEC’s rules also emphasize the role of senior management and boards of directors (BODs) in overseeing cybersecurity risks, highlighting the need for a top-down approach to cybersecurity governance. Although not explicitly mandated, firms are expected to provide details on board proficiency and oversight of cybersecurity risks in their annual Form 10-K and Form 20-F filings. This presents a challenge for many BODs that have individuals who are not intimately involved in the day-to-day activities of an organization.
New Rules on the Block: How 11:11 Systems Can Help
The consequences of non-compliance can lead to significant financial losses, legal repercussions, and damage to a company’s brand. However, adhering to the SEC’s rules, or those of any regulatory body, is not just about avoiding penalties, but also about safeguarding business continuity, maintaining customer trust, and upholding your organization’s reputation.
As we discussed, achieving true cyber resilience and regulatory compliance is easier said than done. Regulations like these often require a lot of IT decision makers and executives, leading to burnout, confusion, and increased risk. For those trying and struggling to navigate these complexities, 11:11 Systems can be a crucial ally.
When it comes to the nuances of the SEC’s new cybersecurity rules, for example, 11:11 can assist in a great many ways, including:
- Material Data Assessment and Identification: Identifying, assessing, and understanding your organization’s data — determining data that’s considered “must have,” “mission-critical,” or, as the SEC would say, “material” — prior to an incident is paramount to both proper cyber resilience and your ability to successfully comply with SEC regulations. If your organization needs assistance with determining whether your data is material or not, 11:11 has the tools and expertise to help.
- Risk Management: Do you currently have defined processes and procedures in place to comply with the SEC’s Risk Management, Strategy, and Governance Disclosure provision? 11:11 can help with the processes for assessing, identifying and managing material risk from cyber security threats and those associated with third-party partners.
- Cyber Resilience Controls: If the key to materiality is understanding and managing risk, then the key to mitigating risk is cyber resilience. This includes not only proactive cybersecurity measures to prevent disruptions, but also reactive measures to ensure a quick response and complete recovery in the event of a successful cyber attack. 11:11 can support your organization as it evaluates and implements the controls necessary to align with the SEC’s Risk Management, Strategy, and Governance Disclosure provision.
Get started today by asking yourself these simple questions: What risks do we currently face? How well do we understand our data? Are we prepared to survive a material cyber incident? Then follow up by taking our free, 20-question Cyber Recovery Risk Assessment which will help you better understand your organization’s recovery risk profile.
No matter your unique needs or requirements, 11:11 is well-positioned to help you and your organization identify and assess critical data, manage risk, ensure compliance, and, most importantly, achieve true cyber resilience. And as we, and the industry at large, receive additional clarity around how the SEC’s new cybersecurity rules are being interpreted and enforced, we’ll be sure to keep you updated.
Stay tuned to this blog as well as our 11:11 Resource Center for additional updates and resources. Finally, for more information about our comprehensive suite of technologies and services — including our expert Consulting Services and advanced Data Protection and Disaster Recovery solutions — or to set up a consultation, contact us today.