When the Security and Exchange Commission’s (SEC) new cyber incident reporting regulation went into effect on December 18, 2023, it immediately drew confusion over what the watchdog meant about a “material” incident.
Questions also surfaced such as how companies are working to comply with the regulation and what new processes and procedures organizations should have to construct in order to comply. It’s worth mentioning that the naysayers saw the SEC's moves as micromanaging.
After letting the hub-bub ebb a little, AuditBoard, a cloud-based audit, risk, compliance and sustainability platform provider, is now offering some answers to decode the disclosure ruling, and has conducted a survey to take the pulse of organizations that must comply with the new rule.
But first, here’s a snapshot of the SEC’s reporting rules:
- Registrants must report a security incident in an 8-K document within four business days and also disclose on an annual basis “material” information regarding their cybersecurity risk management, strategy and governance to better inform investors.
- Information is material if a reasonable person would consider it important when making an investment decision, or if it would significantly affect existing publicly available information about a company.
Enterprise Security Pros and the SEC Cybersecurity Incident Disclosure Rule
In a newly published study, AuditBoard surveyed 314 security professionals working in enterprise environments across multiple industries with revenue exceeding $100 million to determine how their companies are complying or planning to comply with the disclosure regulation.
Here are the report’s key findings:
- While 98% of security professionals and executives surveyed have started working to comply with the new SEC cybersecurity disclosure ruling, more than one-third are still in the early stages of their efforts.
- Less than half (48%) of organizations have performed a gap assessment to determine what needs remediation to comply. Those who have performed the gap assessment are significantly more confident in their ability to comply with the new ruling in 2024 than those who have not.
- 49% of organizations have already established processes and methodologies to determine materiality, and 98% of those using a framework to determine materiality report a moderate to high understanding of that framework and their ability to provide the right inputs.
- Updating or integrating the disclosure process is a top challenge, and only 39% of organizations have cross-functional/departmental alignment on processes and steps.
- An integrated view of risk management significantly increases confidence in complying with the new SEC cybersecurity ruling in 2024. Those using technology to facilitate the disclosure process feel less challenged by stakeholder adoption of these new workflows.
Creating Processes for SEC Disclosure Rule
Richard Marcus, AuditBoard’s vice president of information security, told MSSP Alert in an email interview that much of the risk of breaches that an organization contends with are “not internal but stem from third-party relationships.”
Here is the text of that Q&A, lightly edited for brevity:
MSSP Alert: The SEC's disclosure rules extend to supply chain companies, perhaps including managed security service providers. In AuditBoard's view, what's the impact of that requirement?
AuditBoard: The current environment of heightened third-party software attacks (or supply chain attacks) and subsequent legislative response is elevating third-party risk management as an organizational priority. Much of the risk that an organization contends with is not internal but stems from third-party relationships. The new regulations will bring a level of transparency around risk management and third-party risk management.
The extension of these requirements down the supply chain also has a cascading effect on reporting requirements for incidents that take place in your vendor ecosystem. A vendor may have an incident that requires disclosure, and if that vendor supports a critical business process, or handles data that is particularly sensitive to your organization you may discover that the incident actually has a material impact on your organization requiring your own disclosure to your shareholders, and so on up and down the supply chain.
MSSP Alert: Some companies may experience cyberattacks on a daily basis if not more frequently. That might be particularly onerous for those companies to report on breaches that meet the materiality criteria. What’s AuditBoard's take on that?
AuditBoard: The key for organizations is to define materiality thresholds that can be used by incident response functions to flag incidents that meet these conditions. They should include guidelines around the types of impacts or the scale of impact that would result in a material impact to the stock prices. For some organizations it may be focused on the loss of intellectual property, reputation damage in the marketplace, or the number of customer records lost or disclosed. Only incidents with impact that meet these materiality definitions will be the ones considered for disclosure to shareholders.
MSSP Alert: The study found that technology is the least mature for compliance with the rules. Why is that?
AuditBoard: Many organizations are looking at the requirements and saying they are not comfortable disclosing today because they have too many gaps and they don't want people to know about that. And so, it may cost them a lot to fill those gaps.
Most organizations lack a technology solution that enables a cross-functional team to review, draft and approve these disclosures in compliance with the regulation. These events are identified in IT or InfoSec, drafted into incident reports that get reviewed by legal, risk, internal audit and/or compliance before being passed to investor relations to start working the disclosure into a filing. Since this is a new requirement, organizations are just now putting together the processes to make compliance achievable and looking for technology to help them implement this quickly.