Light Dark
May 10, 2022 By George Platsis 4 min read
Banking & Finance
Risk Management
Security Services

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.

The proposed rules will be open for public comment until May 9.

Know the Terminology

The proposed rules would require a public company to make a Form 8-K disclosure of a “material cybersecurity incident” within four days. A Form 8-K is a notification to shareholders of specific events. If an organization needs to file a Form 8-K but does not, the consequences could be severe, including delisting. Other types of forms would be subject to more amendments (Forms 6-K, 10-Q, 10-K) as part of the proposed rule changes. Therefore, do not gloss over the definitions, because they outline scope and reporting rules. The wording is very specific.

  • Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein (footnote 48 of the proposed changes).
  • Information Systems: information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of a registrant’s information to maintain or support the registrant’s operations (also footnote 48).

Responsible and affected parties should review the section titled “Examples of Cybersecurity Incidents That May Require Disclosure Pursuant to Proposed Item 1.05 of Form 8–K.” That will help you get a better sense of the scope. As you’ll see, the scope is in fact quite wide. Therefore, not only will publicly traded organizations be on the clock to report (as we shall discuss in a moment), but the wide scope could pose a resource challenge for some.

Four Days to Report

Perhaps one of the greatest pressures an organization will face is the four days to report. In the past, an organization may have been able to buy some time during the internal or external investigation phase. Instead, this pretty much puts a lid on any potential time-buying during that phase. The SEC concedes that delay in reporting may facilitate law enforcement investigations. It also says that “on the balance” timely disclosure of incidents cannot justify delayed information to investors.

So many events fall within the defined scope of “cybersecurity incidents”. Will filing a Form 8-K become a daily task? The key is “materiality”, and, sadly, there is a bit of a grey zone.

Materiality Over Discovery

If you are an IT or cybersecurity worker, you might be wondering whether the lawyers should be the ones reading this. We would completely forgive you. However, you will also have a role to play. The emphasis on “materiality” over “discovery” makes perfect sense. So many cyber-related attacks happen today. A security operations center could discover an “incident” multiple times a day. “Materiality” is the difference, but its meaning is not clear.

Within Section II.B.1., there are some guidelines that rely heavily on securities case law. However, no clear and bright borders are made. For example, we see phrases such as “there is a substantial likelihood that a reasonable shareholder would consider it important” or “particularly in view of the prophylactic purpose.” Another says “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors.” You will also find a whole bunch of footnotes and citations to case law.

The proposed rule changes even state that “materiality” could come at discovery, but in other instances, well after discovery. It is the “materiality” aspect that starts the clock on the four-day turnaround to report. This can get really wild if your artificial intelligence security solution makes the call one way and the human overrides it!

What Makes Materiality Important?

These rules will impact public companies, private equity firms and investment houses if they go into effect. That’s the case even if they are not impacted by the material incident directly. Here is why: investment decisions are impacted. Will a private equity firm change its trading portfolio position based on this reporting? It very well could. Many investors base their decisions on Form 8-K disclosures.

For private equity firms, what happens if an incident impacts one of their investments? That could impact its own reporting. This can get tricky if the portfolio is wide, diverse and lacks any common criteria for business impacts. In the end, all of those things could inform the decision.

Determining Materiality

Knowing what matters to your organization is both art and science. You will need some multi-stakeholder input. As we discussed in the organizational resilience series, you need to keep an eye on thresholds, impact matrices and escalation triggers included in your business continuity, disaster recovery and crisis management processes. We noted how important it is to ensure the technology owners and business owners are working together to determine criticality and recovery strategies. Well, time to leverage that work and add one more stakeholder: legal counsel (including your external counsel).

Working together, these parties can come together and make reasonable determinations on what a future “material cybersecurity incident” looks like. In doing so, the spirit of the proposed rule changes will likely be met, or at least be defendable. If you are a leader of a publicly traded company, remember, if something goes afoul, after the SEC is done with you, there may be a congressional hearing in your future. If your organization makes a conscious decision to not deem a cybersecurity incident a material one (and therefore not report it), you are going to have to be able to defend that position. Using your criticality matrices – if well-crafted with appropriate stakeholder input – may minimize the pain. And that gives you the chance to win back some of your lost investor confidence.

 |  |  |  | 
George Platsis
Senior Director, Educator and Author

More from Banking & Finance
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 30, 2023

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

July 28, 2023

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature