Materiality Matters: SEC Reporting & Cybersecurity Incident Disclosure

The Securities and Exchange Commission (SEC) requires public companies to disclose material cybersecurity incidents and information about their cybersecurity risk management, strategy, and governance in their 8-K and 10-K reports.

8-K vs. 10-K Reports

The 8-K report is used to announce significant events that shareholders should be aware of, including cybersecurity incidents. The new Item 1.05 of Form 8-K requires companies to disclose any cybersecurity incident they determine to be material, describing the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the company. The 10-K report, on the other hand, is an annual report that provides a comprehensive summary of a company’s financial performance.

As per the new Regulation S-K Item 106, companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Compliance with these SEC regulations is not just a legal requirement but also a way to mitigate Chief Information Security Officer’s (CISO) liability. CISOs play a critical role in managing cybersecurity risks and ensuring compliance with SEC reporting requirements. By effectively managing and reporting on cybersecurity incidents, CISOs can reduce their liability and protect their organizations from potential regulatory penalties and reputational damage. CISOs and organizations should understand these SEC reporting requirements and implement proactive measures for compliance and risk mitigation. This includes developing:

• Robust incident response plans,
• Integrating cybersecurity into risk management and governance frameworks, and
• Regularly reviewing and updating cybersecurity initiatives.

What is Materiality?

Materiality, in accordance with the SEC reporting, refers to the significance of an event, incident, or information that could influence the economic decisions of investors or alter the total combination of information made available. In the context of cybersecurity, a material incident would be one that has a substantial impact on the organization’s operations, financial condition, or reputation. The SEC has not provided a specific definition or threshold for what constitutes a material cybersecurity incident. Instead, it is up to each organization to determine materiality based on their unique circumstances, including their size, market cap, and the nature of their operations. Factors that an organization might consider when defining materiality could include the following:

• The nature and extent of the incident,
• the potential financial impact,
• the potential harm to the organization’s reputation,
• the potential for litigation or regulatory action, and
• the potential impact on the organization’s strategic plans or competitive position.

For example, a cybersecurity incident that results in a significant loss of customer data, disrupts operations for an extended period, or exposes the organization to significant legal liability would likely be considered material. In addition, the SEC requires organizations to consider not only the immediate impact of a cybersecurity incident but also the potential future impact. This means that an incident that is not initially considered material could become material if it is likely to have a significant impact on the organization’s future operations or financial condition. Defining materiality for SEC reporting is a complex process that requires a thorough understanding of the organization’s operations and the potential impact of cybersecurity incidents. It is recommended that organizations work closely with their legal, financial, and cybersecurity teams to develop a clear and robust definition of materiality.

Testing the Definition

After defining materiality, an organization should navigate a series of steps to ensure that the definition is not only accurate but also effective in identifying material incidents.

Firstly, the organization should test the definition. This involves applying the definition to various hypothetical scenarios to see if it accurately identifies incidents that would have a significant impact on the organization’s operations, financial condition, or reputation. This could involve running tabletop exercises, which are simulated emergency situations, to see how the definition holds up under different circumstances.

Secondly, the organization should review and adjust the definition periodically. This is because the nature of risks and threats that an organization faces can change over time. For example, new types of cyber threats may emerge, or the organization may enter new business areas with different risk profiles. Therefore, it’s important to ensure that the definition of materiality remains relevant and effective.

Thirdly, the organization should compare its definition of materiality with those used by other organizations in their reports to the SEC. This can provide valuable insights into industry best practices and help the organization to refine its own definition. However, it’s important to remember that what is material for one organization may not be material for another, due to differences in size, industry, risk tolerance, and other factors. The definition of materiality should be well-documented and communicated throughout the organization. This is to ensure that all employees understand what constitutes a material incident and can therefore identify and report such incidents promptly. Defining materiality is not a one-time exercise but an ongoing process that requires regular testing, review, and adjustment. By doing so, an organization can ensure that it is well-prepared to identify and report material incidents to the SEC in a timely and accurate manner.

CISO Liability

CISO liability in SEC reporting refers to the responsibilities and potential legal consequences that a Chief Information Security Officer (CISO) may face in relation to the reporting of cybersecurity incidents to the Securities and Exchange Commission (SEC). This liability is particularly relevant for publicly traded companies, which are required to disclose material cybersecurity incidents in their 8-K and 10-K reports. The SEC expects the following responsibilities of a CISO as they play a crucial role in SEC Reporting:

• Oversee the incident response process, including the identification, assessment, and management of cybersecurity risks. In the event of a material cybersecurity incident, the CISO is expected to promptly report the incident to the SEC, detailing the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the company.
• Be involved in the development and implementation of cybersecurity initiatives and strategies, as outlined in the 10-K Item 1c.
• Ensuring that the company’s cybersecurity posture is accurately reflected in SEC reports. This includes providing a comprehensive overview of the company’s risk management and governance frameworks, as well as detailing any material cybersecurity incidents that have occurred. The CISO is also expected to manage risks and coordinate response efforts.
• Be proactive in mitigating their liability. This can be achieved through various methods, such as maintaining a strong cybersecurity posture, integrating cybersecurity into risk management and governance frameworks, and ensuring compliance with all relevant SEC regulations.

A CISO’s liability in SEC reporting is significant and multifaceted, encompassing both the proactive management of cybersecurity risks and the reactive response to material cybersecurity incidents. The SEC expects the CISO to be a central figure in these processes, ensuring that the company maintains compliance with SEC regulations and effectively communicates its cybersecurity posture to investors.

Managing CISO Liability

As stated above, the Chief Information Security Officer (CISO) plays a crucial role in managing the cybersecurity risks of an organization. As such, they are often involved in the preparation and review of SEC 8-K and 10-K reports, which disclose material incidents and information about the company’s cybersecurity initiatives. Given the potential legal and financial implications of these reports, it’s essential for CISOs to take steps to limit their liability. Here are some strategies that a CISO can employ:

1. Obtain Cybersecurity Insurance: Cybersecurity insurance can provide a financial safety net in the event of a significant cybersecurity incident. This insurance can cover costs associated with incident response, data recovery, legal fees, and potential fines or settlements. It’s important for CISOs to work closely with their organization’s risk management team to ensure that the coverage is adequate and aligns with the company’s risk profile.
2. Build a Strong Relationship with Legal Counsel: CISOs should work closely with their organization’s legal team to understand the legal implications of cybersecurity incidents and the associated reporting requirements. Legal counsel can provide guidance on how to disclose incidents accurately and effectively in SEC reports, reducing the risk of potential legal issues down the line.
3. Review Disclosures Before Reporting: Before an 8-K or 10-K report is submitted to the SEC, the CISO should thoroughly review the disclosures related to cybersecurity. This includes verifying the accuracy of the information, ensuring that all material incidents have been disclosed, and confirming that the disclosures align with the organization’s overall cybersecurity strategy and initiatives. This not only helps to ensure compliance with SEC regulations but also reduces the risk of potential liability for the CISO.
4. Implement Robust Cybersecurity Practices: A proactive approach to cybersecurity can significantly reduce the risk of a material incident occurring in the first place. This includes implementing strong security controls, regularly assessing and managing risks, and establishing an effective incident response plan. By demonstrating a commitment to robust cybersecurity practices, a CISO can show that they have taken reasonable steps to protect the organization, which can be beneficial in the event of a legal dispute.
5. Regular Training and Awareness Programs: CISOs should ensure that all employees, not just those in the IT department, are aware of their roles and responsibilities when it comes to cybersecurity. Regular training and awareness programs can help to prevent incidents caused by human error and can demonstrate the organization’s commitment to cybersecurity. It also promotes an information security culture that the SEC looks for organizations to have.

By taking these steps, a CISO can not only limit their liability but also contribute to the overall cybersecurity resilience of their organization.

Cybersecurity Initiatives

Cybersecurity initiatives within organizations have become a critical component of business operations, given the increasing prevalence of cyber threats and the potential for significant financial and reputational damage. These initiatives encompass a wide range of activities, from implementing robust security measures to protect against threats, to conducting regular risk assessments and audits to identify vulnerabilities and ensure compliance with various regulations. The importance of a strong cybersecurity posture in SEC reporting and compliance with the Sarbanes-Oxley Act (SOX) cannot be overplayed. The SEC has made it clear that publicly traded companies are required to disclose material cybersecurity incidents in their 8-K and 10-K reports, and SOX mandates that companies maintain adequate internal controls for financial reporting, which includes controls related to cybersecurity. Therefore, a robust cybersecurity posture not only helps protect against threats but also plays a role in maintaining regulatory compliance and investor confidence.

The integration of cybersecurity into risk management and governance frameworks is essential. This involves the establishment of clear roles and responsibilities for managing cyber risks, the development of comprehensive incident response plans, and the regular review and updating of these plans to ensure they remain effective in the face of evolving threats. By integrating cybersecurity into these frameworks, organizations can ensure a coordinated and proactive approach to managing cyber risks, thereby reducing their potential impact, and enhancing overall business resilience.

Conclusion

SEC reporting requirements for publicly traded companies are a serious aspect of incident response and risk management. The disclosure of material cybersecurity incidents and the company’s cybersecurity risk management, strategy, and governance in 8-K and 10-K reports are not only legal obligations but also key for maintaining investor confidence and mitigating CISO liability. The role of the CISO in managing these risks and ensuring compliance with SEC reporting requirements is paramount. By effectively managing and reporting on cybersecurity incidents, CISOs can reduce their liability and protect their organizations from potential regulatory penalties and reputational damage.

It is essential for organizations to understand the concept of materiality in the context of cybersecurity and to develop a robust definition that accurately identifies incidents that could significantly impact their operations, financial condition, or reputation. This requires regular testing, review, and adjustment to ensure its effectiveness. Furthermore, organizations should implement proactive measures for compliance and risk mitigation, including developing robust incident response plans, integrating cybersecurity into risk management and governance frameworks, and regularly reviewing and updating cybersecurity initiatives. By doing so, they can ensure that they are well-prepared to identify and report material incidents to the SEC in a timely and accurate manner, thereby protecting their interests and those of their investors.

Reach out to Wolf’s vCISO team today to learn how we leverage our expertise to ensure your organization manages cybersecurity risks effectively, while maintaining compliance with SEC reporting requirements.