We recently hosted a compact and very engaging panel discussion about the new SEC Cyber Incident Reporting Rules due to come into effect later this year. We were fortunate to be joined by two well-known experts:
- Sue Bergamo, a CISO, CIO, Board Member, Executive Advisor, and Investor with a track record of effectively transforming people-process-technology to meet business needs – most recently at BTE Partners.
- Mike Wilkes, Adjunct Professor at NYU and former CISO at Marvel with deep experience managing designing, building and securing high-availability mission critical infrastructures for a myriad of business sectors – most recently at Ammolite Analytx and SecurityScorecard.
In the post, we will *not* rehash what was said in the panel discussion. If you did not get to attend the live session, we invite you watch it on-demand – it’s 30 minutes well spent!
Instead, we will delve into the lively online chat between audience members – who hailed from the four corners of the world, and even the “8th circle of Hades (aka south Louisiana)” (their words, not ours!) – during the discussion. Although there were more than 300 comments to sift thru, we’ve “curated” (and lightly edited) the best of them here to augment the insights from our panelists.
Who’s Impacted?
The audience was very interested in who’s impacted by this new rule. For instance, how is a “small company” defined?
As Calvin noted: “Small company is ambiguous. Sometimes its 1-50, 1-20, or 1-100 employees. Some organizations define company size by revenue or production.”
It turns out not to be that ambiguous after all. The SEC defines a “smaller reporting company” as those that have either a “public float of less than $250 million, or less than $100 million in annual revenues and no public float or public float of less than $700 million.” [Reference]
And Maurício asked: “Is the 4-day disclosure deadline for US and foreign companies? I understood that in the 6k form, the disclosure deadline is within a reasonable period.”
Our co-panelist Mike responded that: “I’m pretty sure the Form 6-K for foreign companies is also 4 days once this is in effect. Specific language from page 12 ‘FPIs (ed.: foreign private issuers) must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise FPIs must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.’”
Bottom line, it pertains to all companies registered with the SEC – meaning they are publicly traded on a (US) stock exchange – regardless of size or where they are domiciled.
What’s Material?
There was A LOT of discussion regarding what is and is not “material” – because the new SEC incident disclosure rules require companies to acknowledge any risks from cybersecurity threats, including past incidents, that have materially affected or are likely to materially affect the company’s business strategy, operations, or financial condition.
Dr. Ed commented that: “Under the traditional securities law definition of materiality, an incident is considered ‘material’ if it meets one of the following criteria: 1. Substantial Likelihood Criterion; or 2. Total Mix Criterion.”
Deborah added that: “Under the Securities Act, the US Supreme Court has held that a fact is material if there is “a substantial likelihood that the fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.””
This quickly gave way to _who_ decides whether an event is material. Lots of folks chimed, suggesting it should be your General Counsel (GC) or external counsel, your COO or CEO, or even the Board of Directors (BOD). Our co-panelist Mike conjectured that: “Whomever had the ownership of breach declaration previous to this new rule should probably also be owning the materiality decision as well.”
Why? Because the clock starts as soon as that materiality decision is reached. Here Calvin remarked that: “The determination that an incident is material is even more subjective, no? How would you articulate how/why it took X time to make the determination?” This led to this interesting back-n-forth:
- Bil: Exactly … good companies will define this which, IMHO, will remove cases like that of Sullivan at Uber. There will be no mistaking what is a material issue and ensure that it is declared to the board. Poorly run companies will leave it vague and use it as a buffer to gain more time before declaring it publicly. They’ll need to investigate, “run the scenarios”, etc. etc. before they determine it was material to an investor.
- Mike: What, in your experience, is a valid value for X? How long is too long to investigate before disclosing versus a “reasonable” period of pre-disclosure investigation? 1 week, 2 weeks, 2 months?
- Bil: Honestly would depend on the company and the complexity of the systems and data involved. You could make it as simple as “anything affects investor confidence” so every breach is material or you could build a case that discounts dozens of scenarios and spend time doing “critical investigations” to ensure it met the conditions of material.
Finally (for this synopsis), Patricio opined that: “Materiality is subjective, GAAP determines that items are material if they could individually or collectively influence the economic decisions of users, taken from financial statements. Per FASB, ‘the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.’”
In response, our co-panelist Mike suggested that: “Maybe we start to see something called GASP emerge? Generally Accepted Security Practices seems like a logical evolution of the practice of infosec professionals.”
If you _really_ want (or need) to dig into the materiality question from the SEC’s perspective, a good place to start might be this bulletin: SEC Staff Accounting Bulletin: No. 99 – Materiality. Just remember, it’s not the impact of the breach per se, but rather the perceived impact of the breach on investor decision-making.
And Much, Much More
Many more topics were touched upon in the vigorous online chat, including:
- How it compares with other regulations such as GDPR, and that it’s not just the sheer number but the different scopes involved that make management complex.
- That hackers don’t care about checkboxes (see Ivan V’s post here) but the concern over bad actors scouring Form 8-Ks might be overblown because that information is unstructured, making it harder to mine for actionable insights.
- Lots of to-and-fro on whether data breaches really have an impact on company stock prices (and whether companies will focus on this instead of the impact on customers, partners, employees, and the wider public), whether disclosing too soon is a potential harm to both companies and investors, and whether investors will become numb to all the disclosures (which Mike estimates will rise from 35 in 2022 to 7,000 or more after this rule comes into effect).
- And some discussion on CISO liabilities (especially in light of the recent Wells Notices received by Solarwinds execs) and whether D&O insurance will become the norm for CISOs (Mike noted that it’s not yet part of the “default” in the Delaware corporation templates, and that CTOs were just added last year).
We’ll give the final word to Veronica, who wrote that it was: “Very interesting to listen to this after coming across one of my clients who had to report a data breach to ICO within 72 hours.”
We hope you will take a listen and find it equally worthwhile.
References and Further Reading
To help you with the new SEC Incident Disclosure requirements, we’ve pulled together the “who, what, where, when and how” into an infographic for you to download and share.
In addition, here are some more materials on the full & final Public Company Cybersecurity Disclosure rules from the Security and Exchange Commission (SEC) regarding the required disclosure of material cybersecurity incidents and the periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports.