Are Your Cybersecurity Disclosure Controls and Procedures Up to Date?

This article was updated August 30, 2023.

Properly responding to material incidents could protect your organization from receiving charges from the SEC.

The SEC published its final rule meant to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

Evaluate Incidents Carefully

Nonmaterial cyber incidents don’t have to be disclosed to the SEC; however, the number of material cybersecurity incidents is likely higher than organizations report.

What if some of the cybersecurity incidents organizations originally deemed nonmaterial are actually material? How well do organizations evaluate incidents to determine whether they’re material?

SEC Enforcement Cases

In the past, the SEC rarely enforced actions on cybersecurity incidents. However, three enforcement cases against companies indicate things are changing.

A property title company in California, an educational services company in the United Kingdom, and a software company in South Carolina received enforcement actions for not properly disclosing facts surrounding a material cybersecurity incident.

In each case, front-line IT personnel might not have:

  • Fully understood how their company defined materiality
  • Been incentivized to report the vulnerability up the chain of command
  • Made necessary changes to systems or programs in a timely manner
  • Describe the incident accurately and completely

The Division of Enforcement within the SEC is signaling a hard line against companies that haven’t designed and implemented cybersecurity disclosure controls that accurately and completely mention all material facts regarding incidents. Registrants should know the new rules give the SEC a new basis for bringing enforcement actions.

Click here to download a cybersecurity guide

How Can You Assess If a Cybersecurity Incident Is Material?

Materiality of a cybersecurity incident depends on its impact and the magnitude of compromised information.

For example, leaked personal health information (PHI) or personally identifiable information (PII) could be a material event for an organization that relies on protecting their customers’ sensitive information.

In the cases mentioned above, the SEC defined materiality broadly and the companies defined it narrowly.

  • Narrow means looking myopically at the impact of a cybersecurity incident 
  • Broad means looking at all known facets of a cybersecurity incident including the impact to the registrant’s reputation, customer or vendor relationships, or a registrant’s competitive position

Generally, assessing the materiality of a cybersecurity incident is an assessment of the potential impact to the company’s reputation, financial performance, customer and vendor relationships, possibility of litigation, and possibility of regulatory investigation. If the impact is great enough to cause an investor to make a buy or sell decision, then the incident is material.

Responding to a Cybersecurity Incident

With its enforcement actions, the SEC signals that employees with knowledge of security vulnerabilities are expected to communicate this information up the chain of command accurately and completely. Those charged with reporting material incidents must do so in four days.

Generally, assessing the materiality of a cybersecurity incident is an assessment of the potential impact to the company’s reputation, financial performance, customer and vendor relationships, possibility of litigation, and possibility of regulatory investigation.

How Should an Organization Respond to a Cybersecurity Incident?

Once a security breach has been identified, companies should respond quickly to secure the impacted systems and fix any vulnerabilities while ensuring there are no other attacks in progress or vulnerabilities that could be exploited.

The Federal Trade Commission (FTC) outlines steps companies should take to respond to an incident in their online guide.

Once an incident has been deemed material, it must be reported within four days. The front-line IT team, officers, directors, and anyone else aware of a cybersecurity incident should report it prior to the offer and sale of securities.

This is to help those trading around the time the incident was discovered avoid an insider trading charge.

Who Should Be Told?

The front-line IT team should inform people in senior management responsible for deciding whether to make a public disclosure.

This could include members of the board and audit committee, the CEO, CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).

What Should Be Included in an SEC Cybersecurity Incident Disclosure?

Management should evaluate the significance associated with cyber-risks and incidents in their disclosures.

Cybersecurity disclosures should describe the following:

  • The company’s judgements about materiality
  • What senior management and the board knew and when they knew it
  • How materiality was assessed in light of relevant facts
  • Circumstances of the incident(s), including prior breaches

What Are Standard Practices for Keeping Accurate Cybersecurity Disclosure Controls and Procedures?

Do your organization’s policies, procedures, and controls give senior management the information they need to assess materiality and disclosure implications, including remediation?

The SEC recommends that companies annually assess compliance with cybersecurity disclosure controls as part of the SOX 404(a) assessment.

Management should consider the following best practices:

  • Assess whether your IT general controls (ITGC) address the risk of failure to make necessary changes to programs or systems
  • Ensure that relevant information about cybersecurity risks is processed and reported up the corporate ladder so senior management can make disclosure decisions and certifications
  • Confirm its IT risk assessment identifies cybersecurity risks and inventories the company’s sensitive data
  • Describe the board’s oversight role with respect to cybersecurity risk management and assess its cyber expertise
  • Annually train the front-line IT team to understand materiality and communicate with the CEO, CFO, and board to avoid insider trading issues and inaccurate disclosures

SEC Final Rules

New Item 1.05 of Form 8-K

Registrants will be required to disclose on this item any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The disclosure may be delayed if the US attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing.

New Regulation S-K Item 106

This will require registrants to describe annually any processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.

Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.

Applicability to Foreign Private Issuers

The rules require comparable disclosures by FPIs on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.

Effective Dates

The final rules will become effective September 5, 2023. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosure requirements will be applicable beginning December 18, 2023. Smaller reporting companies will have an additional 180 days, until June 15, 2024, before they must begin providing the Form 8-K disclosure.

The Role of an Internal or External Auditor

The auditor focuses on the IT risks impacting financial reporting. They assess the ITGCs design and operating effectiveness to ensure the effective operation of automated controls, and completeness and accuracy of key reports or information provided by the entity (IPE).

A cybersecurity incident could happen without being identified or disclosed to the audit engagement team. The auditor should assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should consider the effect of the breach on the company’s operations, and potential financial implications.

The auditor should assess whether the incident resulted from a deficiency in internal controls over financial reporting (ICFR), such as excessive user access, deficient change management controls, or an unpatched system, and whether remediation of any control breakdown has taken place.

The auditor should revise the risk assessment and document the relevant considerations of the cybersecurity incident on the audit.

The auditor should discuss with management and the audit committee the nature and type of disclosures the company is considering in its financial statements or notes to those statements. The auditor should also ensure the audit committee was adequately informed as soon as practical.

We’re Here to Help

For guidance on cybersecurity disclosure controls and procedures or SEC cybersecurity requirements, contact your Moss Adams professional.

Additional Resources

Contact Us with Questions

Enter security code:
 Security code