On December 18, public companies will need to start complying with the SEC’s new rules around cybersecurity incidents, which state that companies must report any cybersecurity incident to the SEC within four days of determining that it is material. CFO Brew spoke with Jamie Gerber, CFO at cybersecurity firm SimSpace, about what CFOs can do to prepare for the new regs.
This interview has been lightly edited for length and clarity.
You liken the cybersecurity regulations to Sarbanes-Oxley. Why so?
To a degree, there was nothing new under the sun [with] Sarbanes-Oxley, other than a call to essentially put best practices into place where they were part of a range of practices before. And the cyber regs are going to do the same thing here. They’re going to take what’s kind of a hodgepodge of practices and really force companies to find best practices, because the governance and leadership of the companies are going to know that they have to be more timely, be more accurate.
What are some challenging aspects of complying with the regulations?
Classically, incident response has been: Something bad happens, the IT team deals with it, and then the disclosure team gets pulled in. Companies can’t do that any more [under the new regs]. Companies need to change how they approach the engagement of their disclosure teams and financial teams with their incident response teams, which have been very serial and separated in the past.
Is there one piece of the regs that has been more of a sticking point for companies than others?
One is that the materiality decision has to be made “without unreasonable delay.” [People will say] “Well, what does that mean? Is it 35 days, is it 38 days?” No, it’s “without unreasonable delay.” You’ll be judged after the fact in terms of whether an incident was material to your company: Did you see how bad it was going to be when you started to make your determinations, and did you take too long to figure it out?
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
How can companies make the materiality determination? What are the high-level steps that they would go through?
The first question is, “Given what’s going on and how we’re dealing with it, is the result potentially material?” The second one—which is actually the tougher of the two—is “Have we practiced containing things, and restoring services quickly enough, so that the potentially material impacts are not material?” And it’s only after you answer both of those questions that you can make [the determination.] And you have to have some basis for having some confidence, particularly in that second part.
What role will CFOs play in being compliant with the new regulations?
CFOs don’t have to become chief security officers. They don’t need to be able to write anti-hacker code or to do any of that stuff. But they do need to know what the potential impacts are so that when their team sees [an incident] beginning to happen, they know how to start analyzing.
The CFO’s competence in this area [should be around] “What are the types of things that could affect us? How bad can they be? How well positioned are we to deal?” CFOs have to answer those questions on a whole range of risks. Cybersecurity’s one of them.
If you could give one piece of advice to CFOs on complying with the new regulations, what would it be?
It would be to get your disclosure teams into the major incident response playbooks of your security teams and get them practice in severe event responses and in making those early determinations, and then figuring out [whether they got] that early materiality call right. They need to learn to make their materiality calls right in the fog of an incident.