It’s been over a year since the SEC’s new (can we still call it that?) cyber reporting requirements went into effect, and experts are seeing a few patterns.
Examining a year’s worth of filings, SEC compliance management tool developer Intelligize has noticed “some consistent commonalities and reporting around cybersecurity,” according to performance enablement manager Lauren Tamaska.
Tamaska recently shared some key cybersecurity incident reporting trends Intelligize found this past year. “Many issuers are slowly becoming more transparent about their cybersecurity efforts, especially as the SEC has increased its focus in this area,” she told CFO Brew.
But first, a quick refresher: The SEC now requires companies to report material cyber incidents within four days, and detail cyber risk management practices annually. Early on, experts identified materiality as a sticking point for companies, as the definition would not be the same across the board. They also predicted the rule would boost cyber hygiene practices overall, now that everyone’s risk management processes were a matter of public information.
Standard-bearer. Tamaska noted four themes in company filings:
- Organizations are using “established cybersecurity frameworks” like the National Institute of Standards and Technology as guidance to identify risks and detect threats, she said.
- Boards of directors have taken on a larger role in overseeing cyber governance practices. Orgs are establishing dedicated cyber risk oversight committees or assigning the responsibility to existing audit or risk committees. They’re also disclosing board members’ cyber expertise and/or cyber training.
- Many companies are highlighting cyber threat detection and response by including details like “implementation of incident response plans and regular cybersecurity drills,” Tamaska said.
- Lastly, companies are highlighting third-party risk management plans, with an apparent “awareness on the rise in supply chain attacks,” Tamaska noted. Controls around third-party risk include “vendor assessments and continuous monitoring.”
What’s in a name? As we said before, deciding whether a cyber incident is material isn’t so clear-cut. Some companies (take Microsoft, for example) erred on the side of caution in reporting. This was a big enough point that the SEC issued some guidance on reporting immaterial incidents. Tamaska called materiality “an elephant in the room when it comes to cybersecurity reporting.”
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
“Even though it’s still evolving, we have already started to see the trends,” she said, “and how companies are defining materiality are really starting to bubble up.”
According to Intelligize, companies tend to define an incident as material if it impacted their operations or financials. But they also consider potential reputational damage or legal liabilities resulting from an incident. Companies also tend to have processes for defining materiality that involve input from board members, legal counsel, and management.
“Initially, we did see a lot of boilerplate language around materiality, but now we’re seeing more issues quantifying the financial impacts of cyber incidents, including potential fines, remediation costs, and the effects on revenue or market share,” Tamaska said.
Who’s in charge? Recent disclosures show an uptick in companies identifying “dedicated leadership for cybersecurity,” Tamaska noted.
“The chief information security officer (CISO) is taking center stage,” she said. In newer disclosures, more companies revealed the CISO has direct lines of communication with the CEO, CFO, and the board on cybersecurity matters. “This shift highlights the strategic importance of cybersecurity,” Tamaska said.
More boards are establishing cybersecurity committees to oversee their cyber posture and ensure regulatory compliance, whereas in the past, that responsibility might have been rolled into the remit of the audit or oversight committee, according to Tamaska.
Some companies are also creating cyber working groups, which Tamaska said are “cross-functional” teams involving departments like “IT, legal, compliance, and risk management to address cybersecurity issues and determine…materiality.”