Good morning.
Large public companies now have less than a week to report to regulators a cybersecurity breach that may impact the bottom line.
The U.S. Securities and Exchange Commission’s (SEC) new rule on cybersecurity disclosure went into effect on Monday. It requires public companies to disclose on the Form 8-K any cybersecurity incident within four days of the company determining it to be “material,” such as having a significant impact on the company's financials, operation, or relationship with its customers. All public companies are now required to use the SEC's data tagging technology known as Inline XBRL. Smaller businesses have an additional 180 days before required compliance with the four-day reporting rule.
Companies also have to create annual reports explaining how they manage cybersecurity. The assessment of business disruption and impact to financials will most likely fall under the purview of the CFO.
“CFOs and [chief information security officers] CISOs should learn to speak each other’s languages,” Mike Britton, CISO at Abnormal Security, told me regarding the new rule. The AI-powered email security company earned a spot on this year’s Fortune Cyber 60 list that identifies the fastest-growing startups in cybersecurity.
“My best advice for CFOs is to get to know your CISO, and through them, better understand how to balance the cost of addressing your cyber-risk level and the cost of the potential consequences of not addressing them,” Britton said. “CISOs need to appeal to the strategic interests of the CFO and communicate how company decisions can create risk. And CFOs also need to understand cyber risk and what risks may impact financial statements and the materiality of reporting breaches.”
Determing a material incident
Since March of 2022, there was indication that the SEC would take some action on cybersecurity reporting. The SEC announced in July when the rules would go into effect, so execs have had some time to prepare.
But with a four-day time frame to report, some companies may be walking a tightrope when it comes to determining what makes a cybersecurity incident material and at the same time responding to that incident and putting out fires.
“We spend a lot of our time with our clients talking through materiality considerations,” Naj Adib, principal of cyber and strategic risk at Deloitte, told me.
When working with clients, Adib starts with the SEC’s guidelines on materiality, determining the nature, extent, and potential magnitude of a cybersecurity incident. “But the SEC is not here to prescribe what cyber capabilities you need to have in place,” he said. “A manufacturing company is going to be different from a financial service company.”
Adib said companies will need a cybersecurity response team with members such as IT, legal, CIOs, CFOs, and CISCOs, who are looking at your entire process from cyber incident identification, all the way to disclosure.
Measuring materiality considerations involving qualitative factors like an impact on reputation, implications for relationships with your customers and vendors, or even the impact on talent, can be a challenge, Adib said. But this goes back to having the right cybersecurity response team in place with those who can tell you from the business scope and operations whether what's happening is really important, he said.
As companies put a greater emphasis on strengthening cybersecurity, spending is on the rise. Industry research firm IDC estimates that worldwide spending on security products and services will total $219 billion this year, up 12% from 2022, and reach nearly $300 billion in 2026.
The SEC’s new rules are "a potential game changer for the industry and a major tailwind for the cyber security industry,” Wedbush analyst Dan Ives said in a Monday note to investors.
Sheryl Estrada
sheryl.estrada@fortune.com
