You know that cybersecurity has made its way into the cultural zeitgeist now that security firms are taking out Super Bowl ads. The new SEC cyber incident disclosure rule may push cybersecurity even more firmly into the minds of public companies and their investors.
As of last December, the SEC requires public companies to lay bare any material cybersecurity incidents within four days of an occurance on a Form 8-K, and detail cyber risk management practices regularly in their annual 10-Ks.
The new rule could boost companies’ cyber hygiene, now that they are reporting their practices to the public, Alissa Lugo, senior director and analyst with Gartner’s legal and compliance group, told CFO Brew.
“I do think it’s going to raise up some best practices, and I think organizations will be better off for it, even though there’s some heartburn right now trying to think about all of this,” Lugo said.
Now you see it. Transparency is key because many organizations are not up to speed on their governance and risk management practices, according to Pete Cordero, a retired FBI special agent and founder of cybersecurity advisory firm Hacking The Cyber Threat LLC, told CFO Brew.
“I don’t think we’re anywhere near optimal,” Cordero told CFO Brew. That means some organizations have work to do to catch up.
Early results indicate that companies are still getting a feel for what should be reported. Some of the first cyber incident disclosures only contain minimal information and do not answer some important questions, according to experts interviewed by CFO Dive.
When Microsoft filed a Form 8-K in January reporting a recent breach, it wrote that “the incident has not had a material impact on the Company’s operations.” Microsoft told the Wall Street Journal that “because the law is so new, we wanted to make sure we honor the spirit of the law.”
The CFO impact. Finance leaders, who often have organizational compliance and risk management under their purview, have skin in the game. A recent PwC report recommended that “CFOs…should be ready to answer questions from the board about disclosures regarding material and immaterial cyber incidents as well as annual disclosures of cyber risk management, strategy, and governance.”
But it’s not all on finance. New research from AuditBoard suggests the CFO is involved less often than the CISO in reshaping practices to ensure SEC compliance. Three-quarters of the 300-plus security professionals surveyed by AuditBoard indicated the CISO and/or information security team was involved in the disclosure process, while 45% of respondents said the CFO/finance team was involved.
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
However, not every organization has a CISO. In those cases, Lugo said in an email that she recommended organizations hire a CISO, but in the meantime, they should “clearly outline who the risk owner is [and] who is responsible for managing the cyber program.”
Document it! John Pearce, principal of Grant Thornton’s cyber risk advisory services, told CFO Brew that some organizations charge the board’s audit committee with cyber oversight, while others may have something like a technology risk committee.
Whatever the oversight mechanism is, firms need to make sure to document it. “What we’ve instructed folks is, if you’re going to put it in your 10-K, you better have it memorialized, and prove that it actually actions that way. That’s where we’re seeing the biggest gaps,” Pearce said.
Companies also need to test their information controls “to make sure that the right information is being shared with leaders on a timely basis, and then that that information is being evaluated…if it needs to be publicly disclosed,” Lugo said. Firms should test its practices in simulated tabletop exercises to ensure disclosure is appropriately achieved and with the right information, she added.
Beefing up cyber expertise. The new reporting requirements also will improve boards’ cyber hygiene, experts said. For one, the 10-K disclosures will highlight the qualifications (or, sometimes, lack thereof) of board members to capably oversee cyber risk, according to Pearce.
“Now these boards have to say…‘How are we going to say that we’re qualified to oversee this risk, as well as management?’ So, [it’s] better to think through what that reporting and cadence structure is and the skillsets, so that when they write up in the 10-K what they’re doing…that they do actually have proper oversight of the programs,” Pearce said.
The short-term solution is to educate members currently on the board—Pearce said groups like the National Association of Corporate Directors (NADC) offer cyber risk oversight training. In the longer term, organizations will put more emphasis on new board members who have stronger cyber backgrounds.
Experts also recommended firms bring in outside consultants to review their cyber risk management and governance programs. The reviews could in turn bolster cyber readiness.