New proposed regulations for cyber incident reporting
Discover the implications of proposed updates to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and its requirements on covered entities.
The Securities and Exchange Commission (SEC) cyber disclosure rule is putting the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks.
At most companies, responsibility for compliance will rest among those in several primary roles, each with their own questions to ponder. Coordination among these executives in answering the questions is going to be critical.
It’s been over a year since the SEC finalized the disclosure rule and we continue to see SEC enforcement action for misleading disclosures. Are you prepared to meet their requirements? The resources below can help you determine your readiness.
Featured - 4 items
Many companies are focusing on enhancing their cybersecurity capabilities to meet disclosure requirements
The disclosure requirements aim to protect investors from the harms that a cybersecurity breach could cause. As the number, severity, and stakes of cybersecurity incidents continue to rise, investors are demanding transparency from the companies in which they’ve placed their resources and trust.
We see the rule as a call to action, challenging enterprises to be ready to expand their disclosures regarding their cyber risk management, strategy, and governance processes. For some, revealing this information will be a balance in precision.
Requirement for transparency into cyber practices and incidents has shifted from statutory to actionable, from inconsistent and incomplete to “decision-useful.”
The cyber disclosure rule: what it says, who’s responsible
The final rule requires that, in annual 10-K filings, companies add details describing their cyber program.
It also requires mandatory and speedier filing of Form 8-K for reporting material cybersecurity incidents to the SEC when they occur — within four days of determining that an incident is material. In the rule, cyber incident means an unauthorized occurrence (or series of related occurrences) on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
The rule provides for a series of extensions if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.
In a nutshell
- Cyber incident reporting
- Cyber risk management and strategy
- Cyber governance
Cyber incident reporting
SEC’s disclosure requirements for public companies
Report “material” cybersecurity incidents on a Form 8-K within four business days of materiality determination.
Describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the registrant. To the extent required information is not determined or is unavailable at the time of the filing, the 8-K should include disclosure of this fact, and the 8-K should be later amended when the information is determined or becomes available.
Materiality determination should be based on federal securities law materiality, including consideration of quantitative and qualitative factors.
Reminders: The material incident disclosure requirements have been effective since December 18, 2023 . Disclosures for risk management, strategy and governance are in effect for all registrants for fiscal years that ended on or after December 15, 2023.
Organizations that don’t comply with the new rule will likely face serious consequences, as recent SEC enforcement actions suggest. The Commission has levied large fines against companies for not disclosing breaches sufficiently or in a timely manner. It continues a two-pronged approach to enforcement: first, that organizations have appropriate disclosures under the requirements, and second, that they have controls and procedures in place to escalate necessary items for determination of whether disclosures are required.
The full view
Complying with the disclosure rule requires coordination among security, finance, risk and legal teams, as well as, key business leaders (when needed). So it’s helpful to agree internally on how to make accurate disclosures that satisfy the SEC ruling.
The good news is that these capabilities are mutually-reinforcing: improving one area will also help you improve in other areas. Here’s a helpful framework for unifying your organizational efforts.
The capabilities you need for decision-useful reporting on your cyber strategy and practices A PwC framework
Eight questions to answer for SEC cyber disclosure success
Since the proposed rule was finalized, some questions have arisen repeatedly in our conversations with board members, CFOs, CIOs, and CISOs. Companies need to answer these questions clearly to pass muster with the SEC and investors.
- Cyber incident disclosures
- Cyber risk management and strategy
- Cyber governance and reporting
Cyber incident disclosures
1. What is our process for reporting cybersecurity incidents? It’s important for leaders and the board to understand the internal escalation and external reporting processes. Consider testing the escalation process now, before an event occurs.
2. How can we effectively determine materiality of a breach or attack? Determining materiality can be complex and should not be solely the responsibility of any one person. Materiality determinations should involve the CFO, General Counsel, CISO, CIO, and front-line business leaders.
Organizations will already have heeded guidance the SEC released in 2018 regarding cyber disclosures, and will have disclosure controls and procedures that “provide an appropriate method of discerning the impact … on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
Many organizations are already comfortable discussing materiality in terms of financial statements, but the discussion doesn’t stop there. You also need to consider qualitative factors, such as effects on reputation, customer relationships, vendor relationships and regulatory compliance. And you’ll need to begin taking a long view of breaches and breach attempts, considering cumulative effects of related occurrences.
3. How do we confirm that our processes for determining materiality are thoroughly documented? When incidents arise, you’ll want to have documentation detailing how you determined the materiality of an incident, particularly if you determine it’s not material. If the SEC questions your conclusion, you’ll need to justify with details of your processes and considerations of quantitative and qualitative factors, and the rationale and basis for your decision.
4. What is the right level of information to disclose? Recognizing the sensitivity of cybersecurity programs, the SEC’s disclosures are generally more principles based. Nonetheless, complying with the new requirements without revealing confidential information about your cybersecurity procedures and program will be an important consideration. Some companies are creating a standard template for reporting incidents to have on hand, then modify should an event occur.
5. Can we report within the four-day period? We see a lot of confusion surrounding the four-day timeframe for disclosing an incident. The clock starts ticking not when the incident occurs or is detected, but when it is determined to be “material.” The rule does not set forth any specific timeline between the incident and the materiality determination, but the materiality determination should be made without unreasonable delay.
6. How will we comply with the requirement to report related occurrences that qualify as “material”? The final rule removed the requirement to aggregate disparate non-material risks to determine if a 8-K disclosure is required. However, the final rule still requires events that are related — for example, the same malicious actor or that exploit the same vulnerability — to be reported if a company determines they’re material.
Assess and test your preparedness
Is your cyber program disclosure-ready? Test your answers to the questions above. A thorough diagnostic overview of these findings can show you precisely where you need to make changes, to satisfy investors and the public that you are protecting company assets and the company’s reputation.
You may also wish to schedule a “tabletop” exercise in which you and your team enact the processes that you will employ in the event of a cybersecurity incident — to include the process for determining materiality and providing the information required by the 8-K within four business days of the materiality determination. If you’re not confident that you’re ready to make these disclosures properly or in a timely manner, then this sort of exercise will help you get there. If you do feel confident, then a tabletop can validate your conviction — or raise flags that you might not have seen otherwise.
Clients who’ve run these assessment diagnostics and preparedness exercises often find, to their surprise, that they’re not as ready for the new SEC disclosures as they thought. Taking these steps now can help you avoid unpleasant surprises later: not only SEC fines, but also loss of investor confidence and trust and market value.
Related content
Loading...
Making materiality judgments in cybersecurity incident reporting
What is materiality in the SEC rule for cybersecurity? PwC’s new analysis offers the steps to take next to create a defined process and more.
Internal audit's role in cyber disclosure
What is the role of internal audit in the SEC rule for cybersecurity? PwC’s new analysis offers next steps to make compliant disclosures.
Board Central: Cyber Risk Tools
Strengthen how your board of directors governs and oversees cybersecurity risk with a platform featuring PwC insights, peer data and reporting resources.
Loading...
Follow us
