Good morning.
Four business days. That’s how long public companies have to report to the U.S. Securities and Exchange Commission (SEC) a cybersecurity breach that may impact an organization’s bottom line.
The SEC announced the adoption of new rules on July 26 that requires the disclosure on the new Item 1.05 of Form 8-K of any cybersecurity incident the company determines to be “material,” along with a description including the “nature, scope, and timing,” and likely impact.
The new rules also add Regulation S-K Item 106, which will require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, and the board of directors’ oversight of risks from cybersecurity threats. These disclosures will also be required in a registrant's annual report on Form 10-K.
The new rules will take effect in December or 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, the SEC announced.
Many companies have already been sharing information on cyber incidents in 8-K forms, but there’s now a standard. And CFOs are increasingly tasked by companies to have a greater role in regulatory reporting. In Deloitte's CFO Signals Survey for Q2 2023, finance chiefs cited increasing regulations and working with regulators as one of their top challenges related to managing enterprise risk (43%). And implementing processes to identify, monitor, and address risks was also listed as a concern (27%).
It's crunch time…for some
Since March 2022, there was indication that the SEC would take some action on cybersecurity reporting, and public companies should have been preparing, according to Courtney Adante, president of the security risk advisory at Teneo, a global CEO advisory firm. In addition to managing the division, Adante supports Fortune 500 clients with the design and delivery of enterprise security strategy programs including cybersecurity risk management.
"My perspective is the SEC was really aiming for more transparency for the investment community," Adante says. "What I've seen is companies, particularly in highly regulated industries or sectors like financial services, or even defense, were largely positioned ahead of the game because they’ve had to adhere to regulation for some time now. For other industries and other sectors that may not have been spending the time here, it's crunch time. I think that they've got a window of about six months to get themselves organized before these rules go into effect."
What role does Adante think CFOs will play in SEC reporting? “The materiality assessment in terms of business disruption, and impact to financials and bottom line, obviously, lies with the CFO,” she says. “But the CFO will need to make that decision informed by a whole suite of stakeholders within the company and peers in the C-suite, and below, in the ensuing days and weeks after a breach in order to make that decision on materiality.”
If it is a material breach, and worthy of being reported to the SEC, how does a company beat the clock on the four-day rule? Prepare around crisis management to have the “ability to very quickly mobilize as an executive leadership team to share information and do that in a seamless way,” Adante explains. “And not only ensuring that they have those incident response and crisis management frameworks in place, but test them out now.”
Guy Melamed, CFO and COO at Varonis Systems Inc. (Nasdaq: VRNS), a software company that provides data security and analytics, shares his perspective. “CFOs are usually responsible for many things, but the SEC rules mean they now have to gain knowledge of one more subject that was never taught in any accounting class: cybersecurity,” Melamed says. “The responsibility for keeping companies secure is still under the security team—but CFOs must start stepping up and asking questions about their organization’s security, and the right ones. All too often, risk starts when critical information is overexposed.”
What's a good security question? “Ask your [chief information security officer] who can or who has accessed your financial statements in the last 30 days. If they can’t answer you in five
minutes, you are exposed,” Melamed says.
Sheryl Estrada
sheryl.estrada@fortune.com
