Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Bob Chaput, NACD.DC

MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH

NACD CERT Cyber Risk Oversight

Download CV Contact Me
Blog Post

Disclosure about Cybersecurity Incidents in Periodic Reports

November 14, 2022 Cyber Risk, ESG and Investors, Governance, Strategy, and Alignment, Regulations, Legal Cases, and Increasing Liability, SEC Proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules by Bob Chaput
Disclosure about Cybersecurity Incidents in Periodic Reports

Blog #3 of 5 in SEC Proposed Changes series

Disclosure about Cybersecurity Incidents in Periodic Reports[1]

Introduction

In the first post in this series Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I cited the four specific proposed changes in the SEC rulemaking:

  1. Reporting of Cybersecurity Incidents on Form 8-K
  2. Disclosure about Cybersecurity Incidents in Periodic Reports
  3. Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
  4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

This post will focus on the requirements for “Disclosure about Cybersecurity Incidents in Periodic Reports.”

Before I dive in, it is important to note that both Institutional Shareholder Services (ISS)[2] and Glass Lewis[3], the two most prominent proxy advisory services in North America, have taken measures to include disclosures and other similar requirements to the SEC proposed changes in their governance assessments of public companies.  These firms provide research and analysis to institutional investors, among others, to assist with investment decisions.  The point is that the SEC proposed changes around Form 8-K filings and updates in periodic reports are in some ways catching up with investor demands.

What is proposed?

First, under “Updates to Previously Filed Form 8-K Disclosure”, the SEC proposes changes that would require registrants to “disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K” in quarterly Form 10-Qs or annual Form 10-Ks for the period (the company’s fourth fiscal quarter in the case of a yearly report) in which the material change, addition, or update occurred.[4]

With the focus on providing timely, relevant information to investors, the SEC seeks to balance the prompt, timely four (4) day reporting in Form 8-K with the reality that companies will learn more about the severity and impact of an incident over time.

Updated cybersecurity incident disclosure might include, but not be limited to, these non-exclusive examples cited in the proposed rule:

  • Any material impact of the incident on the registrant’s operations and financial condition
  • Any potential material future impacts on the registrant’s operations and financial condition
  • Whether the registrant has remediated or is currently remediating the incident, and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes.

Second, entitled “Disclosure of Cybersecurity Incidents that Have Become Material in the Aggregate,” the proposed changes would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. 

NIST defines “risk aggregation” as “the combination of several risks into one risk to develop a more complete understanding of the overall risk.”[5]  The NIST concept of risk aggregation is analogous to what the SEC is after here.  In these proposed changes, the SEC calls for organizations to consider whether a series of incidents taken together increase the severity of impact on the organization and, therefore, would be relevant for investors to know.

For healthcare organizations, a comparative example may be found in requirements under the HIPAA Breach Notification Rule. Under 45 CFR §164.408 Notification to the Secretary, for breaches involving 500 or more records, organizations must notify individuals, the media, and HHS/OCR “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach”.[6]  You might think of this 500-record threshold as HHS’ definition of a “material” incident.  For breaches involving less than 500 individuals, “a covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification required…”[7].  This latter requirement might be thought of as “risk aggregation.”

Periodic reporting means that cybersecurity incident disclosures are not a once-and-done matter.  It would be best if you were both backward-facing and forward-looking when evaluating the impact of cybersecurity incidents on your business.  It is essential to formalize your cybersecurity incident management processes.  Be sure your organization has a mutually agreed upon definition of key cyber risk terms (most organizations do not!) and can differentiate cybersecurity events from material cybersecurity incidents.

Questions Management and Board Should Ask and Discuss

Here are several starter questions about the proposed Disclosure about Cybersecurity Incidents in Periodic Reports:

  1. Does your organization monitor the previous cybersecurity incidents to identify subsequent impacts on your operations and financial condition?
  2. Does your organization formally document risk treatment decisions and actions following each cybersecurity incident?
  3. Do your cyber incident response and reporting practices today capture and document all incidents so that you can analyze, correlate, and aggregate individual cybersecurity incidents for materiality?
  4. Are you prepared to provide regular updates regarding the previously reported incidents when and for so long as there are material changes, additions, or updates during a given reporting period?

Endnotes

[1] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[2] ISS. “CYBER RISK SCORE.” Accessed October 30, 2022. Available at https://www.issgovernance.com/esg/cyber-risk/

[3] Glass Lewis. “Cybersecurity Risk Evaluation Solution”. Accessed October 30, 2022. Available at https://www.glasslewis.com/cybersecurity-risk-evaluation-solution/ 

[4] SEC. “Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[5] “Risk Aggregation.” Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Available at https://csrc.nist.gov/glossary/

[6] U.S. Department of Health and Human Services. The HIPAA Breach Notification Rule.  Accessed October 15, 2022.  Available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

[7] U.S. Department of Health and Human Services. The HIPAA Breach Notification Rule.  Accessed October 15, 2022.  Available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Copy link
CopyCopied
Powered by Social Snap