ECRM Recordkeeping and Reporting Standards, Policies, and Procedures

Blog #14 of ~20 in ECRM Framework & Strategy Series

ECRM Recordkeeping and Reporting Standards, Policies, and Procedures

If you are starting this ECRM Framework & Strategy Series here, with Blog #14, you may wish to review some previous posts:

• #1, Introduction – Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy
• #3, Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance
• #4, Basic Cyber Risk Management Terminology
• #5, Selecting and Adopting an ECRM Framework, Process, and Maturity Model
• #6, Risk Rating and Risk Appetite

(For the complete list of all posts in this ECRM Framework & Strategy Series, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

In each post in the series, I cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series aims to explain the content needed in each part of the document and provide a good head start on developing and documenting your ECRM Framework and Strategy. 

Introduction

The topic of the ECRM Framework and Strategy and related documentation covered in this post is:

22. ECRM Recordkeeping and Reporting Standards, Policies, and Procedures

(For the complete Table of Contents of an ECRM Framework and Strategy Document, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

Bottom Line Up Front (BLUF): It is essential that your organization develops and implements recordkeeping and reporting standards, policies, and procedures because of increasingly more stringent regulatory requirements, litigation, and enforcement actions.

Organizations have long wrestled with statutory recordkeeping and retention requirements.  Scale that up to an international company operating in countries worldwide, and we’re into profound complexity. I recall these challenges from my global executive assignments at General Electric (NYSE: GE), Johnson and Johnson (NYSE: JNJ), and Healthways (NASDAQ: HWAY).

On the other hand, organizations may be failing to retain what is necessary and report what is needed regarding information about their enterprise cyber risk management (ECRM) programs and activities within those programs. A sample Record Retention Schedule for Businesses from Postlethwaite & Netterville illustrates the complexity of any business.[1] 

Many types of ECRM data may require reporting.  Think about all the information generated across the five functions of the NIST Cybersecurity Framework, using that as a model—identify, protect, detect, respond, and recover. This potentially reportable information may include, but not be limited to, strategies, policies, procedures, asset information, risk assessments, risk response measures, safeguards implemented, incident detection and reporting, incident response, recovery plans, etc.  Consider the recordkeeping requirements related to the topics covered in this series that represent sections of your ECRM Framework and Strategy. You would be wise to document and keep records of every action, activity, or assessment required by your policies and procedures and those required by applicable regulations.

There are many stakeholders to whom ECRM information reporting is required.  These include, and are not limited to, customers/patients, employees, credit reporting agencies, the media, insurers, attorneys, regulators, the courts, etc.

This post explores the importance of standards, policies, and procedures to ensure proper and appropriate ECRM recordkeeping and responsive reporting when needed. 

In Cyber Legal Cases and Trends Your Board Needs to Watch,[2] among other cases, my co-authors and I discussed the seminal 1996 Delaware Court of Chancery decision involving a board’s responsibilities for “reporting or information system or controls.” We wrote:

“… In re Caremark International Inc. Derivative Litigation, establishing the conditions for director oversight liability under Delaware law,[3] the board was sued by shareholders for breach of duty of care for allegedly failing to provide appropriate oversight of employee conduct, exposing the company to civil and criminal penalties. However, the board prevailed, and the court concluded that the board reasonably believed the practices were lawful and attempted in good faith to exercise employee oversight and monitoring responsibilities. 

The case established the so-called “Caremark standard,” which imposes liability under the following two circumstances: where “(a) directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”[4]”

Establishing ECRM Recordkeeping and Reporting Standards, Policies, and Procedures helps implement meaningful “reporting or information system or controls.”

Using Emerging SEC Disclosure Requirements as a Benchmark

In my SEC Proposed Cyber Changes series[5], I discussed each of the four proposed changes in detail:

1. Reporting of Cybersecurity Incidents on Form 8-K
2. Disclosure about Cybersecurity Incidents in Periodic Reports
3. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

While there are many other existing (e.g., HIPAA Security Rule Implementation specification: Response and reporting)^[6] and emerging reporting requirements (e.g., Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA))^[7] seeking different content and timing, in this post I will use the emerging SEC disclosure requirements to underscore the importance of ECRM Recordkeeping and Reporting Standards, Policies, and Procedures.

Implications of Reporting Cybersecurity Incidents on Form 8-K

The SEC proposes to address growing concerns about apparent underreporting and untimely reporting of cyber incidents by requiring registrants to “disclose material cybersecurity incidents in a current report on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident.”[8]  A Form 8-K, known as a “current report,” must be filed within four days of the incident that triggers the filing.[9] 

This means your organization must have policies and procedures in place to determine “materiality” quickly, cite when the incident was discovered and whether it is ongoing, provide a brief description of the nature and scope of the incident, describe whether any data was stolen, altered, accessed, or used for any other unauthorized purpose, explain the effect of the incident on your operations, and describe whether your organization has remediated or is currently remediating the incident.

Can your organization meet these requirements today with your current recordkeeping?

Implications of Disclosure about Cybersecurity Incidents in Periodic Reports

First, under “Updates to Previously Filed Form 8-K Disclosure”, the SEC proposes changes that would require registrants to “disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K” in quarterly Form 10-Qs or annual Form 10-Ks for the period (the company’s fourth fiscal quarter in the case of a yearly report) in which the material change, addition, or update occurred.[10]

With the focus on providing timely, relevant information to investors, the SEC seeks to balance the prompt, timely four-day reporting in Form 8-K with the reality that companies will learn more about the severity and impact of an incident over time.

Updated cybersecurity incident disclosure might include, but not be limited to, these non-exclusive examples cited in the proposed rule:

• Any material impact of the incident on the registrant’s operations and financial condition
• Any potential material future impacts on the registrant’s operations and financial condition
• Whether the registrant has remediated or is currently remediating the incident, and
• Any changes in the registrant’s policies and procedures due to the cybersecurity incident and how the incident may have informed such changes.

Second, entitled “Disclosure of Cybersecurity Incidents that Have Become Material in the Aggregate,” the proposed changes would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. NIST defines “risk aggregation” as “the combination of several risks into one risk to develop a more complete understanding of the overall risk.”[11] 

Can your organization meet these requirements today with your current recordkeeping?

Implications of Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

The SEC is proposing a new item be added to Regulation S-K at Item 106(b) to require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy. For example, the proposed disclosure would require companies to disclose whether they have a cybersecurity risk assessment program, whether they undertake activities designed to prevent, detect, and minimize the effects of cybersecurity incidents, and how they manage third-party risks.[12] 

Under risk management and strategy, specific proposed disclosure items in Item 106(b) would require disclosure, as applicable, of whether:

• The registrant has a cybersecurity risk assessment program, and if so, describe such a program;
• The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
• The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
• The registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
• The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the registrant’s governance, policies, procedures, or technologies;
• Cybersecurity-related risks and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition, and if so, how; and
• Cybersecurity risks are considered part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.[13]

Under governance or, more precisely, the board’s oversight, the disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

• Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.[14]

There are numerous requirements to track here. Can your organization meet these requirements today with your current recordkeeping?

Implications of Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

Risk oversight is one of the top three responsibilities of a board of directors, and disclosing information about risk and risk management oversight is familiar to public company boards.  As part of Regulation S-K, at 17 CFR §229.401(e), companies must discuss the business experience of board directors.[15]  At 17 CFR §229.407(h), companies must “disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.”[16]

The specific proposed changes to create the new Item 407(j) are as follows:

(j) Cybersecurity expertise.

(1) If any member of the registrant’s board of directors has expertise in cybersecurity, disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise. In determining whether a director has expertise in cybersecurity, the registrant should consider, among other things:

(i) Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;

(ii) Whether the director has obtained a certification or degree in cybersecurity; and

(iii) Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.[17]

Can your organization meet these requirements today with your current recordkeeping?

These four items represent extensive and comprehensive disclosure changes. The required activities mandate sound cyber risk management and align with numerous industry guidelines and resources, including NACD’s most recent Principles for Board Governance of Cyber Risk.[18]

Additionally, without going into detail, global regulations like GDPR[19], state regulations like the California Consumer Privacy Act[20] and the proposed NYDFS rules[21], federal laws like CIRCIA and for organizations in the Defense Industrial Base DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting[22], whistleblower cases, and other litigation are driving the requirement for comprehensive recordkeeping and reporting capabilities.

Solutions to Address ECRM Recordkeeping and Reporting Standards, Policies, and Procedures

1. Make the business case to the C-suite and Board.
2. Inventory all relevant and applicable global, federal, state, and local regulations.
3. Identify all cyber risk management activities, actions, and assessments for which records must be maintained.
4. Develop ECRM Recordkeeping and Reporting Standards, Policies, and Procedures.
5. Identify and adopt record management and retention tools.

The Importance of ECRM Recordkeeping and Reporting Standards

Recordkeeping and reporting standards are essential for organizations to ensure their records and information’s accuracy, completeness, and consistency. Recordkeeping and reporting standards enable organizations to make better decisions based on data analysis, identify potential risks and opportunities, promote transparency and accountability, and streamline operations for timely reporting. Compliance with the legal and regulatory requirements I have cited is critical to avoid penalties and reputational damage.

ECRM Recordkeeping and Reporting Policy

Your ECRM Recordkeeping and Reporting policy statement should indicate what you plan to do, why you plan to do so, the values of your organization, and what is expected of members of your workforce regarding ECRM recordkeeping and reporting.  As a reminder, think of policies are higher-level aspirational statements emphasizing “what” and “why.”  That is, what your course of action will be and why you’ve chosen this course of action. Your policy statement also establishes your good faith intent.

In the case of cyber risk management recordkeeping and reporting, it is essential to convey your full intent to comply with all applicable laws and regulations as well as your internal policies and procedures.

Following is an example of an ECRM Recordkeeping and Reporting policy statement:

[YOUR COMPANY NAME HERE] is committed to establishing, implementing, and maturing an enterprise cyber risk management (ECRM) program, safeguarding all sensitive stakeholder data, systems, and devices against compromising confidentiality, integrity, and availability. The ECRM recordkeeping and reporting management program is intended to maintain, protect, retain, and dispose of records in accordance with operational needs; federal, state, and local government regulations; fiscal and legal requirements; historical value; and business reference purposes. International, Federal, state, and local laws and regulations have established standards by which acceptable ECRM, privacy, security, and compliance will be achieved and by which various information will be reported and disclosed. The purpose of this policy is to provide guidance and direction on creating and managing ECRM information and records and clarify workforce responsibilities.

Relevant and applicable regulatory requirements of [YOUR COMPANY NAME HERE] for ECRM recordkeeping and reporting are NYDFS, SEC, and GDPR.

For internal operational needs, all ECRM records must be retained to evaluate the company’s ECRM program’s performance over time and enforce other ECRM policies and procedures. As such, all ECRM records should be kept for at least five years.

Content of ECRM Recordkeeping and Reporting Procedures

All procedures are designed to bring policies to life by providing the necessary actions for you to deliver on your policy. If policies are higher-level statements addressing “what” and “why,” then procedures provide the much-needed detail as to “how,” “by whom,” “when,” “where,” “using what,” etc., the policy will be implemented.

Your ECRM Recordkeeping and Reporting Procedures should specify who and what aspects of your organization’s ECRM framework, process, and maturity model transactions and records the policy covers. Indicate the ECRM data, systems, and devices the policy covers. Indicate if the policy covers the entire organization, a specific business unit, or a defined geographic area. Indicate the C-suite executive responsible for this policy.  For example, it may be your Chief Risk Officer, Chief Information Officer, Chief Information Security Officer, or Chief Financial Officer, depending on your industry and whether your organization is public or private.

You should expand and elaborate on these elements and steps such that those responsible for managing ECRM Recordkeeping and Reporting will be successful if they follow all your process steps in your documented procedures.    

Summary

Given the increase in law, regulations, and enforcement, it is essential to include a section in your ECRM Framework and Strategy document that covers ECRM Recordkeeping and Reporting Standards, Policies, and Procedures and how you will manage your recordkeeping, reporting, and disclosures.

The chief output of the work discussed in this post is your organization’s ECRM Recordkeeping and Reporting Standards, Policies, and Procedures.

In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.  Your ECRM Recordkeeping and Reporting Standards, Policies, and Procedures will help meet this and other emerging disclosure requirements.

You can visit my YouTube channel, Stop the Cyber Bleeding | Putting ECRM Into Action, which includes brief video clips covering many of the topics in this series. It may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.

In the next post in this ECRM Framework & Strategy Series, I will discuss ECRM Budget Philosophy<<hotlink>>, an essential component to properly fund ECRM initiatives and integrate ECRM into business strategy, financial planning, and capital allocation .

Questions Management and Board Should Ask and Discuss

1. Is your organization prepared to assess the materiality of cybersecurity incidents and report them within four business days?
2. Has your organization agreed upon and documented ECRM Recordkeeping and Reporting standards, policies, and procedures that you are prepared to disclose?
3. Is your organization prepared to report cybersecurity incidents that have become material in the aggregate?
4. Is your organization prepared to report how much it engages third parties in its cyber-risk assessments?
5. Is your organization prepared to disclose your business resumption plans?
6. If your board reports cyber risks in your MD&A section of a 10-K, are you comfortable disclosing whether any board member possesses cybersecurity expertise?
7. Has your organization assessed potential costs and damage from material cybersecurity incidents such as legal costs, business interruption, ransom and extortion demands, remediation costs, etc.?
8. Does your organization have a good governance structure in place, one that clearly articulates and oversees your ECRM recordkeeping and reporting?
9. Do you have the internal resources with the appropriate skills, knowledge, and experience to facilitate the development of your ECRM Recordkeeping and Reporting Standards, Policies, and Procedures?
10. Would engaging an experienced, reputable ECRM partner be valuable to establishing, implementing, and maturing your organization’s ECRM Recordkeeping and Reporting Standards, Policies, and Procedures?
11. Do your ECRM Recordkeeping and Reporting Standards, Policies, and Procedures meet the future requirements of SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today?

Endnotes

[1] Postlethwaite & Netterville. “Record Retention Schedule for Businesses.” (n.d.) Available at https://www.pncpa.com/resources/record-retention-business/

[2] Chaput, Bob, Mahler, Andrew, and Nwachukwu, Omenka. The Governance Institute (TGI). “Cyber Legal Cases and Trends Your Board Needs to Watch.” March 2023. Available at https://bobchaput.com/wp-content/uploads/2023/04/Clearwater-Cyber-Legal-Cases_March2023.pdf

[3] Edward B. Micheletti & Ryan M. Lindsay, The Risk of Overlooking Oversight: Recent Caremark Decisions From the Court of Chancery Indicate Closer Judicial Scrutiny and Potential Increased Traction for Oversight Claims, Skadden, Arps, Slate, Meagher & Flom LLP (December 15, 2021), https://www.skadden.com/insights/publications/2021/12/insights-the-delaware-edition/the-risk-of-overlooking-oversight.

[4] Edward B. Micheletti & Ryan M. Lindsay, The Risk of Overlooking Oversight: Recent Caremark Decisions From the Court of Chancery Indicate Closer Judicial Scrutiny and Potential Increased Traction for Oversight Claims, Skadden, Arps, Slate, Meagher & Flom LLP (December 15, 2021), https://www.skadden.com/insights/publications/2021/12/insights-the-delaware-edition/the-risk-of-overlooking-oversight.

[5] Chaput, Bob. “Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes.” Oct. 31, 2022. Available at https://bobchaput.com/overview-of-the-sec-cybersecurity-risk-management-strategy-governance-and-incident-disclosure-proposed-rule-changes/

[6] Response and reporting Implementation Specification. 45 CFR §164.308(a)(6)(ii) (Security Standards for the Protection of Electronic Protected Health Information, Administrative Safeguards). Available at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308

[7] CISA. Cybersecurity & Infrastructure Security Agency. “Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA).” March 2022. Available at https://www.cisa.gov/circia

[8] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[9] Glossary. U.S. Securities and Exchange Commission. “Form 8-K definition”. Accessed October 15, 2022.  Available at https://www.investor.gov/introduction-investing/investing-basics/glossary/form-8-k

[10] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[11] “Risk Aggregation.” Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Available at https://csrc.nist.gov/glossary/

[12] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[13] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[14] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[15] Business Experience. 17 CFR §229.401(e). (Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975 – Regulation S-K). Available at https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.400/section-229.401

[16] Board leadership structure and role in risk oversight. 17 CFR §229.407(h) (Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975 – Regulation S-K). Available at https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.400/section-229.407

[17] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[18] NACD. “Principles for Board Governance of Cyber Risk”. March 2021. Available at https://www.nacdonline.org/applications/secure/?FileID=319863

[19] GDPR FAQs. EU GDPR.org. Accessed March 6. 2023. Available at https://gdpr.eu/faq/

[20] California Consumer Privacy Act (CCPA). Feb 15, 2023. Available at https://oag.ca.gov/privacy/ccpa

[21] New York State Department of Financial Services (NYDFS). “DFS SUPERINTENDENT ADRIENNE A. HARRIS ANNOUNCES UPDATED CYBERSECURITY REGULATION.” Nov. 9, 2022. Available at https://dfs.ny.gov/reports_and_publications/press_releases/pr20221109221

[22] 48 CFR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Available at https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012