By now, CFOs understand that the SEC’s final rule on cybersecurity disclosure requires public companies to give investors prompt, “decision-useful” information about material cybersecurity incidents, as well as periodic information on their approaches to cyber risk management, strategy and governance.
What they may not fully appreciate is the holistic, collaborative approach required to meet the new disclosure requirements.
CFOs may encounter challenges in applying “materiality” to cyber risks and cyber incidents. They may also face similar uncertainties in assessing their company’s cyber risk management, strategy and governance. In both cases, the path forward calls for careful coordination with the CISO and general counsel (GC) — and potentially the CIO/CTO and CEO.
The final rule requires public companies to describe in their annual 10-K filings the processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, management’s role in assessing and managing those risks, and the board of directors’ oversight of risks from cybersecurity threats. It also requires timely disclosure of material cybersecurity incidents on Form 8-K — within four business days of determining that an incident is material.
Evaluating materiality is about much more than direct financial impacts when deciding whether and how to disclose a cyber incident under the rule. It’s a deliberative process that requires objective analysis of both quantitative and qualitative factors.
CFOs have a critical role helping their company produce accurate, well-reasoned and defensible cybersecurity disclosures on Forms 8-K and 10-K. To carry out this role with confidence, here are some questions to consider.
Have we reached a clear understanding with the finance, IT/security and legal teams about the quantitative and qualitative factors that go into evaluations of a cyber incident’s materiality and its reasonably likely impact on your company’s financial condition?
The SEC’s standard for materiality, as outlined in the rule’s adopting release, is anchored to what the Supreme Court has deemed material information. A fact is material if there is a “substantial likelihood that a reasonable investor would consider it important” or if it would have “significantly altered the ‘total mix’ of information made available.”
To apply this standard in the context of a cyber incident, your team should be prepared to conduct an objective analysis of both quantitative and qualitative factors, including evaluation of the incident’s impact and reasonably likely impacts.
As CFO, you may think in terms of a quantitative, financial materiality threshold: Was this attack costly enough to be considered material? But as the definition states, materiality judgments require going beyond purely quantitative measures. Even less-costly breaches, or those that cause no financial harm, can lead to a determination that the incident is material. If sensitive customer data was hacked, for instance, your company’s reputation might suffer.
Your CISO and GC may have ideas regarding materiality that extend beyond financial loss. The GC, in particular, may need to consider legal questions that are more open-ended and qualitative. In this case, it’s important for you and them to agree on a collective, objective and defensible assessment.
Is our finance team aligned with IT/security teams to get the right information at the right time so you can make materiality determinations? Have we identified the right people who need to give you information? Do we need to consult with any third-party business partners or vendors?
Evaluating materiality is a deliberative process that requires gathering inputs from multiple sources. Work closely with the CISO, GC and other key stakeholders to establish a materiality framework that outlines your company’s approach for identifying and escalating potentially material incidents.
If a cyber incident is considered material, you’ll need to report to investors on a Form 8-K using the information that your CISO will provide. If facts are highly technical, can the CISO communicate them in terms that those responsible for drafting the report can fully comprehend and distill into useful information that conforms to SEC requirements? You may be able to help your CISO with terminology and messaging.
And what if a vendor, supplier or other third party you depend on has a cybersecurity incident? Make sure your agreements require them to inform your company promptly and establish information-sharing protocols to help determine if you have an incident as a result of propagation. If there's no exposure to your information systems, 8-K Item 1.05 will not come into play — though the vendor incident may involve other aspects of your business and trigger other disclosure obligations.
Do our finance and IT/security teams understand the complexities of getting information on the scale, nature and impact of cyber incidents? Have they accounted for the potentially drawn-out discovery and investigation of facts and circumstances surrounding a cyber incident?
Investigating an attack can be a complex forensics undertaking — especially in the case of multiple events. The SEC defines “cybersecurity incident” to include a series of related unauthorized occurrences. Events that involve the same threat actor, or multiple actors exploiting the same vulnerability, are examples of when events may be related.
You’ll need to aggregate related occurrences in conducting the materiality determination and, if material, in disclosing the incident. If multiple occurrences are unrelated, you would not have to aggregate them. Instead, you should evaluate each unrelated event for materiality separately.
To thoroughly investigate incidents, having a strong threat intelligence program is key. Threat intel’s objective analysis can help determine an incident’s scale, potential impact and sophistication — information needed to weigh whether a cyber incident is material and subject to disclosure.
As CFO, you need to stay apprised of new developments that could affect materiality findings. Stay in close communication with the other members of the CFO-CISO-GC triad.
Have we conducted tabletop exercises, including scenarios that will require judgment calls with incomplete information?
Practice can sharpen your readiness. Have your teams play out various scenarios with tabletop exercises designed to test your disclosure processes. Involve all parties who would normally be a part of deciding the materiality of a cyber incident.
Don’t be lulled into thinking that determining next steps is someone else’s job. Increasingly, the task of making disclosure calls belongs at least in part to the CFO.
What if there were a ransomware attack on your company? What if you got a call from the FBI informing you that you may have been compromised? Design your tabletop exercises to highlight the steps you’ll need to take — all of which should align with your materiality assessment playbook.
Have we set up formal, documented processes for communication about cyber incidents?
Maintain all relevant communications, including public statements, internal documents, notes from one-on-one meetings or those of your CFO-CISO-GC triad and minutes of disclosure committee meetings. Having these organized can help you provide contemporaneous supporting evidence for your materiality determinations.
Does the disclosure committee meet to discuss cyber incidents? Consider formalizing the discussion of cyber incidents and be sure to document the deliberations.
Documenting how you determine an incident’s materiality is critical, particularly if you decide it isn’t material. If the SEC questions your conclusion, it will be helpful to have documentation of your processes, the quantitative and qualitative factors considered, and the basis for your decision.
How are we coordinating with the GC in the determination of disclosures and reviews?
The GC’s role is focused on compliance with laws and regulations and protecting the company from legal liability.
Materiality determinations require complex judgments, and CFOs and GCs both play a critical role in issues of materiality and disclosure. In addition to measuring quantitative harm, CFOs and GCs should ask open-ended questions, consider the relevant facts and circumstances, and then work together to decide.
Are you prepared to navigate potential differences in views between the CFO and GC? Recognize that a healthy tension can be instrumental to reaching an appropriate determination.
Do we have a process to assess a material cyber incident for potential weakness in internal control over financial reporting (ICFR)? Do we have a process to promptly notify and advise our independent auditor to prepare them for what they need to do?
Management needs a robust process for evaluating the impact of a material event on ICFR. If this process is already in place at your organization, how might it differ in the context of a cybersecurity incident?
In the event of a breach, you should confirm that management follows that process. Even if there’s no evidence that financial systems were compromised or that intruders gained access to the necessary credentials, could the attack have materially impacted your financial reporting systems and capacity?
Considerations may include:
With expanded disclosures on 10-Ks regarding cyber risk management, strategy and governance, how can we be comfortable with our factual accuracy? What level of assurance do we need that our cybersecurity strategy and practices are followed in day-to-day operations?
The CFO must sign a certification relating to the accuracy of information in the filing as well as with respect to establishing, maintaining and evaluating the effectiveness of disclosure controls and procedures regarding material information. This means you’re accountable for accurately disclosing the organization’s cyber risk management practices even if you’re not responsible for the day-to-day management of cyber risk.
Others in the company will need to provide input into what’s disclosed and how. Stakeholders include the CISO, GC, finance/accounting and internal audit staff, among others. Make your questions as open-ended as possible so you can really feel comfortable with the disclosures’ completeness and accuracy.
The items required for disclosure shouldn’t be your only concern, however. Try to learn details about the activities you describe in the disclosure. If your cyber risk management program includes working with third parties, for example, ask about those vendors’ qualifications, the frequency and scope of their testing, and the results of those tests. While these details go beyond what may be required in the disclosure, understanding the broader picture will be important to your comfort when you certify.
Everyone involved in drafting the 10-K should understand that what’s disclosed will be publicly revealed and the potential implications. While those in finance/accounting, the GC’s office and internal audit will be familiar with this situation, those in the CISO’s office may not be. The organization should consider providing training on disclosure procedures and the implications. Reviews and “sub-certifications,” in which key individuals responsible for cyber risk management also attest to disclosure accuracy, are other verification methods.
Get involved in discussions among those responsible for cyber risk management and the board or any subcommittees. Knowing what information is flowing to the board can alert you to any material changes that could require additional or different disclosure in SEC filings.
If your 10-K is due later in the cycle, review the first wave filings from your peers to get an early baseline on industry disclosure practice. Even after you file your 10-K, continue to look around to see what other companies are doing. This will help you understand how your cyber risk management differs from your peers, helping you to make changes as needed.
How prepared are we to answer questions from the board about cyber disclosures?
The SEC didn’t include a cyber expertise disclosure requirement on boards, but the increased attention to and disclosures on cyber risks will remain a board concern. Board members will likely request more frequent or detailed updates regarding cyber risk management from company managers and even outside experts.
CFOs — working closely with GCs, CISOs, internal auditors and others within the organization — should be ready to answer questions from the board about disclosures regarding material and immaterial cyber incidents as well as annual disclosures of cyber risk management, strategy and governance.
Board members will likely ask about the company’s investments in cybersecurity risk management as well as costs associated with any past cybersecurity incidents. In addition, given your role in establishing and evaluating the effectiveness of disclosure controls and procedures and internal control over financial reporting, you’ll probably be asked how the company’s cyber risk has affected these processes and how new and emerging risks might change them.