The CFO’s role in SEC cyber disclosures

Is our finance team aligned with IT/security teams to get the right information at the right time so you can make materiality determinations? Have we identified the right people who need to give you information? Do we need to consult with any third-party business partners or vendors?

Evaluating materiality is a deliberative process that requires gathering inputs from multiple sources. Work closely with the CISO, GC and other key stakeholders to establish a materiality framework that outlines your company’s approach for identifying and escalating potentially material incidents.

If a cyber incident is considered material, you’ll need to report to investors on a Form 8-K using the information that your CISO will provide. If facts are highly technical, can the CISO communicate them in terms that those responsible for drafting the report can fully comprehend and distill into useful information that conforms to SEC requirements? You may be able to help your CISO with terminology and messaging.

And what if a vendor, supplier or other third party you depend on has a cybersecurity incident? Make sure your agreements require them to inform your company promptly and establish information-sharing protocols to help determine if you have an incident as a result of propagation. If there's no exposure to your information systems, 8-K Item 1.05 will not come into play — though the vendor incident may involve other aspects of your business and trigger other disclosure obligations.

Do our finance and IT/security teams understand the complexities of getting information on the scale, nature and impact of cyber incidents? Have they accounted for the potentially drawn-out discovery and investigation of facts and circumstances surrounding a cyber incident?

Investigating an attack can be a complex forensics undertaking — especially in the case of multiple events. The SEC defines “cybersecurity incident” to include a series of related unauthorized occurrences. Events that involve the same threat actor, or multiple actors exploiting the same vulnerability, are examples of when events may be related.

You’ll need to aggregate related occurrences in conducting the materiality determination and, if material, in disclosing the incident. If multiple occurrences are unrelated, you would not have to aggregate them. Instead, you should evaluate each unrelated event for materiality separately.

To thoroughly investigate incidents, having a strong threat intelligence program is key. Threat intel’s objective analysis can help determine an incident’s scale, potential impact and sophistication — information needed to weigh whether a cyber incident is material and subject to disclosure.

As CFO, you need to stay apprised of new developments that could affect materiality findings. Stay in close communication with the other members of the CFO-CISO-GC triad.

Have we conducted tabletop exercises, including scenarios that will require judgment calls with incomplete information?

Practice can sharpen your readiness. Have your teams play out various scenarios with tabletop exercises designed to test your disclosure processes. Involve all parties who would normally be a part of deciding the materiality of a cyber incident.

Don’t be lulled into thinking that determining next steps is someone else’s job. Increasingly, the task of making disclosure calls belongs at least in part to the CFO.

What if there were a ransomware attack on your company? What if you got a call from the FBI informing you that you may have been compromised? Design your tabletop exercises to highlight the steps you’ll need to take — all of which should align with your materiality assessment playbook.

Have we set up formal, documented processes for communication about cyber incidents?

Maintain all relevant communications, including public statements, internal documents, notes from one-on-one meetings or those of your CFO-CISO-GC triad and minutes of disclosure committee meetings. Having these organized can help you provide contemporaneous supporting evidence for your materiality determinations.

Does the disclosure committee meet to discuss cyber incidents? Consider formalizing the discussion of cyber incidents and be sure to document the deliberations.

Documenting how you determine an incident’s materiality is critical, particularly if you decide it isn’t material. If the SEC questions your conclusion, it will be helpful to have documentation of your processes, the quantitative and qualitative factors considered, and the basis for your decision.

How are we coordinating with the GC in the determination of disclosures and reviews?

The GC’s role is focused on compliance with laws and regulations and protecting the company from legal liability.

Materiality determinations require complex judgments, and CFOs and GCs both play a critical role in issues of materiality and disclosure. In addition to measuring quantitative harm, CFOs and GCs should ask open-ended questions, consider the relevant facts and circumstances, and then work together to decide.

Are you prepared to navigate potential differences in views between the CFO and GC? Recognize that a healthy tension can be instrumental to reaching an appropriate determination.

Do we have a process to assess a material cyber incident for potential weakness in internal control over financial reporting (ICFR)? Do we have a process to promptly notify and advise our independent auditor to prepare them for what they need to do?

Management needs a robust process for evaluating the impact of a material event on ICFR. If this process is already in place at your organization, how might it differ in the context of a cybersecurity incident?

In the event of a breach, you should confirm that management follows that process. Even if there’s no evidence that financial systems were compromised or that intruders gained access to the necessary credentials, could the attack have materially impacted your financial reporting systems and capacity?

Considerations may include:

• The breach’s root cause
• The ability for the threat actor to move within the environment
• Understanding and evaluating what did happen and what could have happened
• Control deficiencies
• Potential impact on financial reporting

With expanded disclosures on 10-Ks regarding cyber risk management, strategy and governance, how can we be comfortable with our factual accuracy? What level of assurance do we need that our cybersecurity strategy and practices are followed in day-to-day operations?

The CFO must sign a certification relating to the accuracy of information in the filing as well as with respect to establishing, maintaining and evaluating the effectiveness of disclosure controls and procedures regarding material information. This means you’re accountable for accurately disclosing the organization’s cyber risk management practices even if you’re not responsible for the day-to-day management of cyber risk.

Others in the company will need to provide input into what’s disclosed and how. Stakeholders include the CISO, GC, finance/accounting and internal audit staff, among others. Make your questions as open-ended as possible so you can really feel comfortable with the disclosures’ completeness and accuracy.

The items required for disclosure shouldn’t be your only concern, however. Try to learn details about the activities you describe in the disclosure. If your cyber risk management program includes working with third parties, for example, ask about those vendors’ qualifications, the frequency and scope of their testing, and the results of those tests. While these details go beyond what may be required in the disclosure, understanding the broader picture will be important to your comfort when you certify.

Everyone involved in drafting the 10-K should understand that what’s disclosed will be publicly revealed and the potential implications. While those in finance/accounting, the GC’s office and internal audit will be familiar with this situation, those in the CISO’s office may not be. The organization should consider providing training on disclosure procedures and the implications. Reviews and “sub-certifications,” in which key individuals responsible for cyber risk management also attest to disclosure accuracy, are other verification methods.

Get involved in discussions among those responsible for cyber risk management and the board or any subcommittees. Knowing what information is flowing to the board can alert you to any material changes that could require additional or different disclosure in SEC filings.

If your 10-K is due later in the cycle, review the first wave filings from your peers to get an early baseline on industry disclosure practice. Even after you file your 10-K, continue to look around to see what other companies are doing. This will help you understand how your cyber risk management differs from your peers, helping you to make changes as needed.

How prepared are we to answer questions from the board about cyber disclosures?

The SEC didn’t include a cyber expertise disclosure requirement on boards, but the increased attention to and disclosures on cyber risks will remain a board concern. Board members will likely request more frequent or detailed updates regarding cyber risk management from company managers and even outside experts.

CFOs — working closely with GCs, CISOs, internal auditors and others within the organization — should be ready to answer questions from the board about disclosures regarding material and immaterial cyber incidents as well as annual disclosures of cyber risk management, strategy and governance.

Board members will likely ask about the company’s investments in cybersecurity risk management as well as costs associated with any past cybersecurity incidents. In addition, given your role in establishing and evaluating the effectiveness of disclosure controls and procedures and internal control over financial reporting, you’ll probably be asked how the company’s cyber risk has affected these processes and how new and emerging risks might change them.