New SEC Cybersecurity Rules Require Broad Disclosure Regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Response
How would you describe your company’s cybersecurity posture? What are the crown jewels of your digital assets? Do you have a chief information security officer (CISO)? How about a board committee tasked with keeping an eye on cyber risks? Have you ever been hacked? What happened and what exactly did you do about it? These are the kinds of questions your company needs to be ready to answer now that the SEC’s rules on cybersecurity risk management, strategy, governance, and incident disclosure have taken effect.
The new rules require public companies to disclose via Form 8-K any material cybersecurity incident and to describe the incident’s nature, scope, timing, and impact. Additionally, the rules expand Regulation S-K to require annual disclosures via Form 10-K to describe a company’s processes for assessing, identifying, and managing material risks from cybersecurity threats. Such disclosures must include descriptions of the board’s oversight of cybersecurity as well as management’s role in assessing and managing cyber risks.
The fact that a cybersecurity incident can trigger a disclosure requirement should not come as a surprise to experienced Investor Relations (IR) practitioners. Materiality, after all, is where you find it. At a time of rapid and widespread digitalization of business processes, a cybersecurity mishap can be devastating for a company’s operations and reputation. Nonetheless, the formal implementation of the rules creates new responsibilities for boards and management teams at a time when recent enforcement actions suggest that boilerplate disclosures will not be enough to satisfy SEC scrutiny.
Determining the right level of disclosure must start with a basic materiality assessment. Regulation Fair Disclosure uses the standard of the “average prudent investor.” Specifically, what such an investor should “reasonably” be informed of before buying or selling a particular security. As with any materiality assessment, it is a company-specific and fact-dependent analysis.
The legal definition of “cybersecurity incident” provides a starting point: “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
From a Regulation S-K perspective, one can imagine the kinds of cyber risks and threats any company can face and the sort of risk management framework every company should have in place. But when a cyber risk becomes an actual loss, the SEC will want more than generalizations.
In a recent complaint against a large software company, the SEC cited “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” According to the SEC, the company defrauded investors by repeatedly overstating the company’s cybersecurity practices and failing to disclose known risks at a time when the company was under a prolonged cyberattack. The SEC pointed to internal documents and communications regarding grave security risks that belied the company’s public statements to the contrary.
Whatever your company’s cybersecurity posture, the time to ensure your IR readiness is now. In the wake of the SEC’s enforcement activity, proxy advisory firms have already expressed a willingness to recommend against certain directors should a board’s oversight or response to cybersecurity issues be found lacking. Similarly, buy-side and sell-side analysts are beginning to ask more cybersecurity-related questions as a matter of due diligence regarding corporate governance and controls.
Not sure if you’re ready to share your cybersecurity story with investors? Uncertain of how to address reputational damage should the worst happen? Contact Sharon Merrill Advisors to discuss how to make cybersecurity an element of your broader IR narrative, whatever the format, from investor presentations to earnings conference calls.
