Cybersecurity disclosures and the role of the CISO

IT and security teams, on the frontline of the battle against cyber threats, now have to ready their companies for greater cyber transparency.

• The SEC cyber disclosure rule poses a new challenge to the CISO, CIO and chief technology officer. Amid a cyber incident, is your team able to detect, assess and communicate the information the rule requires to a wide variety of stakeholders who have to decide if the incident is material and necessary to disclose in an SEC filing?
• The new rule has a specific requirement for timely disclosure of a cyber incident after its discovery and determination of material impact. Can your team escalate information in a timely manner?
• The new rule will also test your ability to coordinate with business, finance, legal and risk teams and communicate with the rest of the company complex and technical matters necessary for compliant disclosures.

The SEC released its final rule on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure on July 26, 2023. With this new rule, the SEC puts the onus on companies to give investors current, consistent and decision-useful information about how they manage their cyber risks.

Everyone in charge of upholding the confidentiality, integrity and availability of their company’s information systems should take heed. This responsibility often falls under the chief information security officer (CISO), chief information officer (CIO) and/or chief technology officer (CTO) at SEC registrants.

Disclosing the existence of a material cyber incident is not a new requirement. What’s new is the specificity of the what, how, when and where to disclose a material cyber incident. This will increase the CISO’s, CIO’s and CTO’s responsibilities.

The three steps you need to take now if you’re in charge of IT and security in your company

CISOs wonder what they’re ultimately responsible for to comply with the new rule. They’re asking, Am I effectively making materiality determinations when I decide what gets escalated? Are materiality considerations part of my escalation criterion? What should I do to make sure that disclosures in 10Ks regarding cybersecurity are accurate? What can I do to help reduce the company’s exposure to compliance risks?

Even if your compliance plan is in place, here are three areas you’ll want to double-check.

1. Understand your risk posture alongside your cybersecurity management program’s capabilities and constraints.

Managing cyber risks is one thing. Being able to disclose the way you manage them to the public in financial statements is quite another. You should determine how well your company’s cybersecurity program can deliver on its mission in line with the SEC’s final rule.

Ask yourselves the questions in How well do you understand your company’s cyber risk posture and risk management program? If your answer to any of the questions is no or not sure, then you may need to make immediate improvements to support more stringent disclosure statements.

Even if you’re able to respond to these questions with a resounding yes, there may be room for improvement. It’s helpful to think ahead about how your practices stack up against your peers and competitors once consistent and comparable disclosures become available to investors.

2. Understand your company’s materiality framework and your ability to provide the right inputs.

Determining materiality is not the sole responsibility of any one person. It will be a stress test of how well you communicate and coordinate with others to make materiality judgments about cyber incident reporting. Here’s what you should do to be prepared.

• Establish an organized process to work with the appropriate individuals involved in materiality determinations.
  • Help define and develop a materiality policy at the enterprise level.
  • Expand the incident response process to include tracking of incident attributes and metadata needed for establishing materiality.
  • Establish a repeatable, structured method for consistent reporting of incident metadata required to establish materiality.

• Confirm the information you need for determining materiality.
  • Evaluating materiality is not a simple, straightforward exercise. Work closely with the CFO, general counsel and other key stakeholders to establish a “materiality framework” to confirm consistency in your approach to capturing and escalating potentially material incidents. PwC offers perspectives on what companies should consider when evaluating materiality.
  • Confirm alignment on the framework, associated metadata and organizational thresholds for incident materiality (individually or in aggregate) with other key internal stakeholders.
  • Confirm that you can capture and maintain incident metadata in a consistent manner as part of business-as-usual incident response workflow, and create a plan for improving metadata tracking over time.
  • Confirm that you can categorize incidents by defined attributes to determine materiality across multiple incidents. You and your team are the only ones who can do this. Be sure to identify occurrences that may be related to a current or past incident (e.g., those that are perpetrated by the same threat actor or those where different threat actors exploit the same vulnerability). Confirm that you have the ability to identify and record related incidents so you escalate them together as necessary.

• Build processes that enable you to quickly gather required information.
  • Instruct incident responders on the additional requirements and the process for collecting metadata.
  • Ingrain formal steps to record incident metadata required for materiality determination throughout the documented cyber incident response process, supported by a call track with various organizational stakeholders — product managers and IT portfolio teams, for instance — who can provide the necessary information.
  • Develop analytics dashboards (e.g., by collating operational dashboards, financial dashboards) for incident responders that incorporate common incident materiality measurements (e.g., cost of downtime).
  • Develop defensible methods based on currently available incident metadata to estimate or project materiality thresholds. Align on thresholds — say, 51% probability that a threshold is met — for invoking materiality reporting procedures. This will help support:
    • Materiality determination for mid- and long-term impacts like determining potential costs and negative impacts for incidents where actual costs and negative impacts are yet to materialize or won’t be understood for some time.
    • Materiality determination for indirect impacts (such as those related to incidents with high impact potential, but no materialized impacts on the business (e.g., active directory compromise).
    • Asserting to the SEC why you’ve deemed an incident immaterial at a given point in time.

• With each cyber incident, prepare to document contemporaneously.
  • As each event occurs, have tools and templates ready that facilitate documentation of the materiality assessment.
  • This will help create a defendable position if a challenge arises.

3. Build relationships with internal partners.

You’ll have many stakeholders needing you to provide information.

• Board and appropriate committees. The board and some of its committees — audit, risk, technology, cyber risk oversight — will be looking to you for expertise. You’ll need to present cyber threat and incident data in a concise, accessible and actionable way.
• CEO. Your CEO will continue to focus on confirming that your company’s information and systems are secure and able to meet SEC rule requirements. Like the board, the CEO will need concise, accessible and actionable data and will need confirmation that your cybersecurity risk management program has appropriate governance.
• CFO. Your CFO is likely to focus on producing investor-grade information, especially in the event of a material incident, and will want confidence that your program can quickly assess incident materiality.
• Internal audit. IA will want to understand and assess the identified cybersecurity risks as well as test the controls designed to mitigate them. IA also will want comfort in the entire company’s ability to respond to a material threat and generate disclosure. (Learn more about the role of internal audit.)
• Investor relations. Investor relations will focus on the impact the disclosure of a material incident will have on the market and making sure that investors receive necessary information to make informed decisions.
• General counsel. The office of the general counsel will concentrate on confirming that office holders’ and the company’s legal obligations are met, while also limiting any legal liability.