Question: How should security leaders handle the SEC’s cybersecurity and disclosure rules? What should they do to ensure compliance?
Michael Gray, CTO, Thrive: The Securities and Exchange Commission’s (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules went into effect at the end of 2023, but many organizations still have questions about filing and disclosure. I’m holding a Under these rules, organizations must disclose significant cybersecurity incidents and provide annual updates on their cybersecurity posture. To be able to share cybersecurity updates accurately, sometimes in a short period of time, teams need to have a deep understanding of 8-K and 10-K filings and implement new processes to simplify compliance. there is.
Differences between 8-K and 10-K filings
8-K filings are generally periodic reports used by publicly traded companies to share information about key events that investors may want to know about when making investment decisions. The SEC’s cybersecurity rules now explicitly require companies to disclose material cybersecurity incidents through Item 1.05 of Form 8-K.
A 10-K return, on the other hand, is a detailed annual report that summarizes a public company’s financial and operational performance over the past year. Part of a company’s responsibility is to disclose the inner workings of its business to its stakeholders, and a 10-K filing helps educate investors so they can make informed decisions about their investments. . Publicly traded companies are now required to include information about their cybersecurity strategy, governance, perceived threats, and significant events that occurred during the year in their annual 10-K filings.
8-K: Definition of materiality
Today, a common question among cybersecurity teams is whether a cybersecurity incident is “major” (not only has a significant impact on financial outcomes, but also has a significant impact on the company’s operations, reputation, compliance, customers and stakeholders). How do you determine whether an incident is an incident that also affects your relationship with someone? Worth filing an 8-K. SEC guidance defines a cybersecurity incident as an incident that a reasonable investor would consider to be an incident that results in significant revenue loss, business interruption or downtime, negative media coverage, legal risk, or loss of customer data. It is important when you want to know about. For example, the Change Healthcare ransomware attack was significant, compromising patient data and negatively impacting hospitals, clinics, and healthcare workers who depend on the company. On the other hand, phishing scams targeting individuals via work emails can cause significant revenue loss to businesses and impact company stakeholders, especially when only personal information is provided. It is not considered important because it is unlikely.
Companies must file an 8-K within four business days of identifying an incident, instead of within four business days of the incident. If additional material information that needs to be disclosed is identified, the company will submit an amendment to the original 8-K that disclosed the incident. In many cases, cybersecurity teams can uncover additional details about an incident that can be shared in a subsequent report to the SEC. Companies also have an obligation to correct previous disclosures that turn out to be false when additional facts become known.
The 10-K: Disclosing too much or too little information
In a 10-K filing, the cybersecurity team shares details about the current state of the company’s cybersecurity program and strategy. The SEC’s disclosure rules require organizations to identify who oversees cybersecurity activities and explain how they assess, detect, and mitigate significant risks from cybersecurity threats. Item 106 of the 10-K also allows the team to review significant incidents from the past year and provide additional comments on the company’s response and performance since the event. Section 106 also requires organizations to describe the board’s oversight of risk and management’s role in assessing material risks. A 10-K filing is not necessarily “new” in terms of information about an incident previously reported in an 8-K filing, but rather the resulting business impact and potential facing the company. Information about certain cyber risks. previous incident.
Again, the rule of thumb for how much information to disclose is that companies need to provide shareholders with enough information to make sound investment decisions. Details to consider include whether the company has a CISO, what cyber training programs are in place for the board and the entire workforce, and whether the board has in-depth knowledge or expertise in cybersecurity. This includes whether there are people present or not. This often means focusing on transparency rather than hiding important details.
Compliance made simple
Beyond 8-K and 10-K filings, employees need to understand the company’s comprehensive cybersecurity framework. This framework should cover how the organization approaches cybersecurity overall, document incident response procedures, and summarize how the company will improve over time.
Modern organizations need to be able to reduce risk before and after a cybersecurity incident. Threats are constantly evolving, so cybersecurity leaders must frequently audit their cybersecurity capabilities. This includes identifying potential vulnerabilities and implementing effective risk management strategies, performing real-time testing on networks and endpoints, and continuously communicating and training staff on cybersecurity policies. The SEC offers a readiness assessment to help in this area.
After an incident occurs, leaders should reflect on how well their organization responded and ensure that key details are thoroughly documented within the 8-K. Companies should also work with legal experts to regularly review their compliance posture. Additionally, employees should receive dedicated training on the SEC’s cybersecurity disclosure rules to be aware of the company’s reporting obligations and understand their role regarding incident response and annual reporting.
