General counsel’s role in cyber disclosure
By now, the general counsel (GC) understands that the SEC’s final rule on cybersecurity risk management, strategy, governance and incident disclosure puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. The rule requires that, in annual 10-K filings, all SEC registrants reporting under the Securities Exchange Act of 1934 describe the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, management’s role in assessing and managing those risks, and the board’s oversight of cyber risks.
It also requires prompt disclosure of material cyber incidents on Form 8-K — within four business days of determining that an incident is material. Assessing materiality will require applying standards developed under federal securities law, which is something the GC is well-positioned to handle.
- Materiality and risk management disclosure, while familiar concepts to the GC, can pose unique challenges in a cybersecurity context. Consulting with the CISO and CFO will be key to understanding which technical and financial details you’ll need to include in your 8-K incident report and 10-K cyber risk management and strategy disclosure. In the GC capacity, you should apply a legal and compliance perspective, using your background and knowledge to create more accurate, complete and defensible disclosures that investors deserve, while safeguarding your organization’s interests.
- While the CISO and CFO will have quantitative details, the GC should take a broader, qualitative view through the widest possible aperture, one that takes into account an incident’s effects on stakeholders, the business and corporate information assets overall, including IP or other confidential information. But to ask the right questions, you’ll need the right information. To get it, you’ll need to ask other questions.
- Because time is of the essence, preparation before an event is critical. In the urgency following an incident, you won’t have time to deliberate over what you need from the CFO and CISO. The three of you should be prepared to spring into action immediately, with an established framework ready and in hand. Start working now with the CFO and CISO to set in place the information-sharing framework, weighing options and deciding how to escalate a cyber incident to the management disclosure committee or group charged with making the materiality determination.
Questions that GCs should be asking now
GCs have a critical role helping produce accurate, well-reasoned, defensible and compliant cybersecurity disclosures on Forms 8-K and 10-K. To do this role with confidence, here are some questions to consider.
- 1. Materiality framework and assessment criteria
- 2. Process for getting CISO input
- 3. Documentation of materiality deliberations
- 4. Protecting confidential information
- 5. Delays for national security or public safety
- 6. Verifying the accuracy of 10-K disclosures
- 7. Responding to board questions
1. Materiality framework and assessment criteria
To what extent should we use a strict formula to determine a cyber incident’s materiality versus a flexible framework? Which criteria and considerations should we use to help the CISO and those responsible for SEC reporting determine whether an incident qualifies as material?
The new rule will require collaboration with a team that may look a bit different from what you’re used to, one that includes both the CFO and CISO. The three of you will need to work together to assemble and organize the information you need for making sound, defensible judgments.
You’re a key constituent in the CISO-CFO-GC triad, with each member playing an important part in determining materiality. The CISO might consider the more technical issues; the CFO, financial ones. GCs consider materiality more broadly, taking in the total mix of relevant factors, including the reputational, operational, legal and regulatory impacts and how the business may determine value of different categories of information assets on its face or competitively.
Do you have a framework for formulating your qualitative analysis and integrating quantitative inputs? If so, it shouldn’t be highly prescriptive, as each incident will have unique factors to weigh as you consider its materiality. Many incidents will likely be financially insignificant yet still have material impacts. You’ll need flexibility in your framework to account for the nature and circumstances of each incident.
However, your framework should be specific in spelling out the approach and methodology you’ll use in determining materiality. Consistency is key to making sound comparisons and contrasts, and to connecting the dots to see patterns that might affect your finding.
2. Process for getting CISO input
Is our disclosure process getting the right information from the CISO’s office for sound materiality determinations? What’s being escalated?
The CISO’s team should have processes in place for collecting and analyzing incident data, and categorizing metadata to help link related incidents, as the SEC rule requires. For disclosure, ask the CISO about the incident’s level on the severity matrix, as well as the soundness of the attribution regarding the threat intelligence.
Also ask about the CISO’s escalation procedures. Do they consider materiality factors or are they based solely on technical severity? You’ll likely want to weigh in on those considerations and make sure that the CISO understands the SEC’s requirements.
The CISO should have a process for detecting and identifying related incidents that share the same vulnerability or the same actor. Once the CISO has identified related incidents, how are the incidents aggregated and escalated for a dispositive determination of materiality? What’s the process for making sure this happens when it needs to?
And what happens when, after an incident has been deemed not material, new information becomes available? How do you confirm that the disclosure committee or others responsible for determining materiality get all the information so they can reconsider their findings if warranted, as the SEC requires?
In anticipation of a cyber incident, consider your existing crisis management frameworks. Assess whether your office is included in this process at the right time, and whether the other teams are educated as to why the GC’s office is integral for the matters on a timely basis. Does someone on your team have cyber expertise or knowledge? Consider bringing them into your discussions with the CISO. Adjust escalation procedures where needed.
3. Documentation of materiality deliberations
Does our process call for contemporaneous notes and logs to explain materiality decisions in a subsequent review? Can we demonstrate the work behind the legal judgments we’ve made regarding when and what to disclose?
Documenting how you determined an incident’s materiality is critical, particularly if you determine it’s not material. If the SEC questions your conclusion, it will be helpful to have documentation of your processes, the quantitative and qualitative factors considered, and the basis for your decision.
Make contemporaneous documentation as discussions occur, as this will naturally hold more weight as evidence of the decision-making process. Store your documentation for later use, as well, keeping in mind that today’s non-material breach can become material later on as more information comes to light. Should the same threat actors attack again or if others were to exploit the same vulnerability, the SEC’s requirement for aggregating related incidents could be triggered. Be sure to have mechanisms in place for tracking and comparing potentially related incidents.
Also, consider whether privilege can and should be asserted over your materiality analysis and documentation. Are you engaging with outside counsel? Is the broader team outside your group educated on privilege, how to preserve your assertion of privilege, and how best to document in a manner that contemplates discoverability?
4. Protecting confidential information
How can we draft disclosures in a compliant manner that simultaneously protects confidential information about the organization’s cyber program?
What’s the right amount of disclosure consistent with the spirit of the rule? Making this call is no easy task, but it’s one GCs are accustomed to.
Information you provide in these filings should be complete, accurate and defensible. As you oversee the drafting of these disclosures, be aware of the need for transparency, which the SEC demands on investors’ behalf, as well as the company’s desire to safeguard proprietary information.
You can disclose properly without divulging sensitive information and creating additional risk. You’ll want to provide technical details in the 8-K regarding what happened and what was exposed. In the 10-K, you’ll need to describe the mechanisms in place and the frameworks you’re using to safeguard your systems, networks and data as well as other non-technical details of your cyber risk management. The key is to strike the right balance between transparency and confidentiality.
5. Delays for national security or public safety
If immediately disclosing the incident could pose a substantial risk to public safety or national security, how do we report it to federal law enforcement and confirm that we are well coordinated internally? How will we be informed of any determinations and communications with the SEC that could affect the required timing for our reporting?
The rule does allow for limited disclosure delays in some circumstances. Item 1.05 of form 8-K, under the rule, provides that the US Attorney General may grant disclosure delays in cases where the disclosure might present “substantial risk” to national security and public safety. The FBI says it’s working closely with the DOJ to develop further guidance regarding this provision, including on intake and evaluation processes for delay requests.
Your CISO should have an existing relationship with local/regional FBI cyber representatives. It’s important for the GC/senior legal leader to also cultivate a relationship with the FBI that includes a procedure for contacting them. Determine whether you will contact federal law enforcement in the event of an incident, who will make contact, and what you need to convey. You may also consider a more formal, small “cyber panel” of external counsel in case you need outside advice.
6. Verifying the accuracy of 10-K disclosures
How comfortable are we that the assertions regarding cybersecurity risk in the 10-K are accurate and complete? What level of assurance do we need that our cyber strategy and practices are followed in day-to-day operations?
Your role in reviewing your company’s 10-K disclosure on cyber risk management, strategy and governance for accuracy is critical. The CFO signs a certification each quarter attesting to the accuracy of the information in the filing, often relying on your input. To confirm the information’s accuracy, you and the CFO may both need to ask questions of the CISO.
These questions should go beyond required disclosure elements to address activities the 10-K addresses. For example, does your company use third parties to help manage its cyber risks? You and the CFO should take pains to ask the CISO for those parties’ qualifications, how often they test your company’s systems and their own for vulnerabilities, and the scope and results of those tests. Your disclosures may or may not broach these topics but having good information can help confirm that you’re approving 10-K filings with confidence.
Completeness also matters in providing investors an honest accounting of your cyber risk management program. And as GC, you don’t want to subject your organization to added scrutiny because of vague or incomplete disclosures. Work with your CISO and CFO starting well before the filing date to cover all bases — while, again, not divulging any sensitive technical details.
The CISO will need to identify evidence to support the statement in the 10-K. Are they relying on threat intelligence to help determine risks? What is the quality review of the evidence or intelligence that led to any conclusions? How are the risks being managed? What is the cybersecurity maturity of your organization and what’s being done to improve it? Consider asking outside entities such as external legal counsel and auditors to verify your 10-K claims.
Confirm your 10-K disclosure aligns with other, related compliance and reporting obligations — including cyber requirements from state regulators — for consistency across all compliance points of intersection. Similarly, confirm it’s consistent with prior and planned public statements, press releases and other communications by company officials, and ask questions to understand the reasons for any differences between the 10-K and other disclosures.
7. Responding to board questions
How prepared are we to answer questions from the board about our company’s cyber disclosures?
The SEC ultimately decided against imposing a cyber expertise disclosure requirement on boards of directors. But the increased attention to and disclosures on cyber risks will remain a board member focus, with the board likely to request more frequent or more detailed updates relating to cyber risk management and other technology and data related risks. In addition to the guidance from management, the board may also seek to bring in third-party experts to educate its members on cybersecurity threats and risks.
Work closely with the CISO, CFO, internal audit and others within the organization to prepare for questions from the board, both with respect to disclosures regarding cyber incidents (whether deemed material or not) and with respect to the annual disclosures of cyber risk management, strategy and governance.
