Are Your Cybersecurity Disclosure Controls and Procedures Up to Date?

This article was updated March 14, 2022.

On March 9, 2022, the SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

Evaluate Incidents Carefully

Nonmaterial cyber incidents don’t have to be disclosed to the SEC, and the number of cybersecurity incidents is likely higher than organizations report.

What if some of the cybersecurity incidents organizations originally deemed nonmaterial are actually material? How well do organizations evaluate incidents to determine whether they’re material?

Properly responding to material incidents could protect your organization from receiving charges from the SEC.

SEC Enforcement Changes

Until recently, the SEC rarely enforced actions on cybersecurity incidents. However, two recent charges against companies indicate things are changing.

A property title company in California and an educational services company in the United Kingdom received enforcement actions for not properly disclosing facts surrounding a material cybersecurity incident.

In each case, front-line IT personnel might not have:

  • Fully understood how their company defined materiality
  • Been incentivized to report the vulnerability up the chain of command
  • Made necessary changes to systems or programs in a timely manner.

The Division of Enforcement within the SEC is signaling a hard line against companies that haven’t designed and implemented cybersecurity disclosure controls that result in disclosures that fully and transparently mention all material facts regarding incidents.

How Can You Assess If a Cybersecurity Incident Is Material?

Materiality of a cybersecurity incident depends on its impact and the magnitude of compromised information.

For example, leaked personal health information (PHI) or personally identifiable information (PII) could be a material event for an organization that relies on protecting their customers’ sensitive information.

In the cases mentioned above, the SEC defined materiality broadly and the companies defined it narrowly.

  • Narrow means looking myopically at an unpatched system
  • Broad means looking at all known facets of a cybersecurity incident

Generally, assessing the materiality of a cybersecurity incident is an assessment of the potential impact to the company’s reputation, financial performance, customer and vendor relationships, possibility of litigation, and possibility of regulatory investigation. If the impact is great enough to cause an investor to make a buy or sell decision, then the incident is material.

Responding to a Cybersecurity Incident

With its recent enforcement action, the SEC signals that employees with knowledge of security vulnerabilities are expected to communicate this information up the chain of command. Those charged with reporting material incidents must do so in a timely fashion.

Generally, assessing the materiality of a cybersecurity incident is an assessment of the potential impact to the company’s reputation, financial performance, customer and vendor relationships, possibility of litigation, and possibility of regulatory investigation.

How Should an Organization Respond to a Cybersecurity Incident?

Once a security breach has been identified, companies should respond quickly to secure the impacted systems and fix any vulnerabilities while ensuring there are no other attacks in progress or vulnerabilities that could be exploited.

The Federal Trade Commission (FTC) outlines steps companies should take to respond to an incident in their online guide.

Once an incident has been deemed material, report it. The front-line IT team, officers, directors, and anyone else aware of a cybersecurity incident should report it prior to the offer and sale of securities.

This is to help those trading around the time the incident was discovered avoid an insider trading charge.

Senior management should disclose a material cybersecurity incident as soon as possible.

Who Should Be Told?

The front-line IT team should inform people in senior management responsible for deciding whether to make a public disclosure.

This could include members of the board and audit committee, the CEO, CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).

What Should Be Included in an SEC Cybersecurity Incident Disclosure?

Management should evaluate the significance associated with cyber-risks and incidents in their disclosures.

Cybersecurity disclosures should describe the following:

  • The company’s judgements about materiality
  • What senior management and the board knew and when they knew it
  • How materiality was assessed in light of relevant facts
  • Circumstances of the incident(s), including prior breaches

What Are Best Practices for Keeping Accurate Cybersecurity Disclosure Controls and Procedures?

Do your organization’s policies, procedures, and controls give senior management the information they need to assess materiality and disclosure implications, including remediation?

The SEC recommends that companies annually assess compliance with cybersecurity disclosure controls as part of the SOX 404(a) assessment.

Management should consider the following best practices:

  • Assess whether IT general controls (ITGC) address the risk of failure to make necessary changes to programs or systems
  • Ensure that relevant information about cybersecurity risks is processed and reported up the corporate ladder so senior management can make disclosure decisions and certifications
  • Confirm IT risk assessment identifies cybersecurity risks and inventories the company’s sensitive data
  • Describe the board’s oversight role with respect to cybersecurity risk management and assess cyber expertise
  • Annually train the front-line IT team to understand materiality and communicate with the CEO, CFO, and board to avoid insider trading issues and inaccurate disclosures

The Role of an Internal or External Auditor

The auditor focuses on the IT risks impacting financial reporting. They assess the ITGCs design and operating effectiveness to ensure the effective operation of automated controls, and completeness and accuracy of key reports or information provided by the entity (IPE).

A cybersecurity incident could happen without being identified or disclosed to the audit engagement team. The auditor should assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should consider the effect of the breach on the company’s operations, and potential financial implications.

The auditor should assess whether the incident resulted from a deficiency in internal controls over financial reporting (ICFR), such as excessive user access, deficient change management controls, or an unpatched system, and whether remediation of any control breakdown has taken place.

The auditor should revise the risk assessment and document the relevant considerations of the cybersecurity incident on the audit.

The auditor should discuss with management and the audit committee the nature and type of disclosures the company is considering in its financial statements or notes to those statements. The auditor should also ensure the audit committee was adequately informed as soon as practical.

We’re Here to Help

For guidance on cybersecurity disclosure controls and procedures or SEC cybersecurity requirements, contact your Moss Adams professional.

You can also visit our IT Consulting Services for additional resources.

Contact Us with Questions

Enter security code:
 Security code