The clock is fast ticking for public-listed organizations to ensure compliance with Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules (rules) recently adopted by the U.S. Securities and Exchange Commission (SEC). The rules, set to come into force from December 2023, are expected to improve transparency for investors, customers, and other stakeholders in matters related to a company’s cybersecurity risk management and governance processes.
One of the key requirements under the new rules is for public companies to report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident. However, what constitutes “material” is somewhat of a gray area.
Let’s take a closer look.
As per the final rules:
In the press release, the SEC relied on the definition set by judicial precedent, “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available.”
Further, the SEC explained that companies should consider both qualitative and quantitative factors to determine the material impact of an incident. It explained:
“By way of illustration, incidents violating a company’s security policies or procedures, or affecting a company’s reputation, financial condition, operations or causing harm to a company’s customer or vendor relationships, or competitiveness may all be considered as examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.”
While these are good examples of cybersecurity incidents, it leaves ample scope for subjective judgment on the part of organizations as to what constitutes “materiality”. It will also vary from organization to organization depending on factors such as the scale of their operations, nature of business, type of products, and criticality of the information residing in their systems.
So, in the absence of a clear definition, it is advised that CISOs, IT risk professionals, and other executives in charge of compliance with the rules, display complete honesty and transparency, erring on the side of caution.
The other aspect to consider is that the rules require organizations to make their materiality determinations “without unreasonable delay” – which, again, seems open to interpretation. The SEC explains:
“A company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality. Similarly, if the materiality determination is to be made by a board committee, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay.”
To put things into perspective, the mean time to identify a breach in 2023 is 204 days, according to IBM’s Cost of a Data Breach Report 2023. So, the timelines for an organization to detect a breach, determine its materiality, and then report it to the SEC – could be ambiguous in practice.
Nonetheless, the final rules are a great initiative in the right direction. Among other things, it will compel organizations to improve the maturity of their incident detection & response and overall cyber risk management and governance processes. We could see future revisions that offer more clarity and/or more requirements for companies to adhere to.
Join our upcoming webinar on September 13th, where we will analyze the SEC’s new cybersecurity rules and discuss key strategies and best practices to achieve compliance, along with domain experts:
In a previous blog, I delved into the key requirements that organizations need to meet and the strategies that can help them achieve this goal. Here’s a look at how MetricStream CyberGRC can help you achieve compliance:
Under the SEC Rules, You Need to | With MetricStream CyberGRC, You Can |
---|---|
Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion | - Establish consistent procedures for incident documenting, analyzing, and remediating all the way till closure - Maintain a single source of truth for incident lifecycle for quick and efficient reporting |
Annual Reporting on the processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so | - Assess and manage IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST - Generate comprehensive reports providing in-depth visibility into the overall security posture |
Annual Reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks | - Leverage user-configurable reports with role-based views into relevant risk, threat, vulnerability, and control data in real-time – which can be presented to the board and top management - Record and maintain the expertise of the members of the management team or cyber risk committee/subcommittee members |
Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes | - Document and maintain information on third parties mapped to relevant details such as IT assets, business units, products or services, contracts, spend, certifications, ongoing assessments, country, risk or compliance issues, due diligence status, etc. - Generate reports that provide insights into risks, compliance, and performance of third-party vendors |
Describe whether and how cybersecurity processes have been integrated into the overall risk management system or processes | - Implement an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes |
Learn more about how MetricStream can help achieve compliance with the SEC’s cybersecurity rules: