What CFOs need to know about the SEC's 4-day disclosure window
As the SEC tightens the reins on cybersecurity disclosure, Chief Financial Officers find themselves at the vanguard of a new regulatory frontier.
As the SEC tightens the reins on cybersecurity disclosure, Chief Financial Officers find themselves at the vanguard of a new regulatory frontier.
In recent years, the frequency and impact of cyberattacks have increased dramatically, posing significant risks to businesses of all sizes.
Recognising the need for greater transparency and accountability in cybersecurity incidents, the US Securities and Exchange Commission (SEC) has implemented new rules that require public companies to promptly disclose material cyber incidents.
Tasked with disclosing significant cyber incidents within a four-day window, CFOs are rapidly evolving from their traditional financial roles to become key players in cybersecurity governance.
The SEC’s new cybersecurity disclosure rules, which went into effect in December 2023, emphasise timely and comprehensive reporting of material cybersecurity incidents.
Public companies are now required to disclose any cybersecurity incident that is determined to be material within four business days of confirmation.
The materiality of an incident is defined by the SEC as having a substantial likelihood of being considered important by a reasonable shareholder.
Determining the materiality of a cybersecurity incident can be a complex task. Companies must assess the nature, scope, and potential magnitude of the incident, considering factors such as its impact on the company’s business, operations, financial condition, and relationships with customers and vendors.
However, the SEC does not provide a specific framework for assessing materiality, recognising that different industries may have varying levels of cybersecurity risk.
To navigate this challenge, CFOs should collaborate closely with Chief Information Security Officers (CISOs) to align their understanding of cyber risks and establish effective communication channels.
By learning each other’s languages and perspectives, CFOs and CISOs can work together to balance the cost of addressing cyber risks with the potential consequences of not addressing them.
In addition to reporting individual incidents, public companies are now required to include cybersecurity management information in their annual reports.
This includes describing the company’s processes for assessing, identifying, and managing cybersecurity risks, as well as the board of directors’ oversight of cybersecurity risk. CFOs play a crucial role in ensuring that these annual reports accurately reflect the company’s cybersecurity practices.
To comply with these requirements, CFOs should work closely with their legal, IT, and cybersecurity teams to ensure that cybersecurity risk management processes are well-documented and align with industry best practices.
This documentation should outline the steps taken to address cybersecurity incidents, the impact of these incidents on the company’s financials, and the measures in place to prevent future breaches.
Non-compliance with the SEC’s cybersecurity disclosure rules can have serious repercussions for companies. Violations may result in SEC penalties, investor lawsuits, reputational damage, and financial losses.
It is crucial for CFOs to understand the potential consequences of non-compliance and take proactive steps to ensure timely and accurate reporting of cybersecurity incidents.
To effectively prepare for the SEC’s 4-day disclosure window, CFOs should consider the following steps:
Understanding “Material” Incidents: CFOs must have a clear understanding of what constitutes a material cybersecurity incident. This requires a deep examination of the incident’s potential impact on the company’s financials, operations, reputation, customer relationships, and regulatory compliance.
Building a Cybersecurity Response Team: CFOs should collaborate with CISOs, CIOs, legal teams, and other relevant stakeholders to establish a robust cybersecurity response team. This team should be responsible for identifying, assessing, and managing cybersecurity incidents, from identification to disclosure.
Implementing Effective Incident Response Processes: Companies should have well-defined incident response processes in place to ensure prompt and accurate reporting of cybersecurity incidents. These processes should outline the roles and responsibilities of each team member, as well as the communication channels and escalation procedures.
Regular Training and Awareness Programs: CFOs should prioritize cybersecurity awareness and training programs for all employees, ensuring that they understand the importance of cybersecurity and their role in protecting sensitive information. This includes educating employees on how to identify and report potential cyber threats.
Engaging External Experts: In some cases, companies may benefit from engaging external experts to assess their cybersecurity posture and provide guidance on compliance with the SEC’s disclosure rules. These experts can offer valuable insights and help identify any gaps in the company’s cybersecurity practices.
Continuous Monitoring and Improvement: CFOs should implement regular monitoring and assessment processes to identify and address potential vulnerabilities in the company’s cybersecurity defenses. This includes staying up-to-date with the latest cybersecurity threats and industry best practices.
Although the SEC’s cybersecurity disclosure rules may present challenges for CFOs, compliance with these regulations offers several benefits. By promptly disclosing material incidents and providing transparent information about cybersecurity risk management, companies can enhance their reputation, build investor trust, and mitigate the financial risks associated with cyberattacks.
Furthermore, adherence to these regulations demonstrates a commitment to cybersecurity and can attract potential investors who prioritize sound cybersecurity practices.