On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.

The proposed rules will be open for public comment until May 9.

Know the Terminology

The proposed rules would require a public company to make a Form 8-K disclosure of a “material cybersecurity incident” within four days. A Form 8-K is a notification to shareholders of specific events. If an organization needs to file a Form 8-K but does not, the consequences could be severe, including delisting. Other types of forms would be subject to more amendments (Forms 6-K, 10-Q, 10-K) as part of the proposed rule changes. Therefore, do not gloss over the definitions, because they outline scope and reporting rules. The wording is very specific.

  • Cybersecurity Incident: an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein (footnote 48 of the proposed changes).
  • Information Systems: information resources owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of a registrant’s information to maintain or support the registrant’s operations (also footnote 48).

Responsible and affected parties should review the section titled “Examples of Cybersecurity Incidents That May Require Disclosure Pursuant to Proposed Item 1.05 of Form 8–K.” That will help you get a better sense of the scope. As you’ll see, the scope is in fact quite wide. Therefore, not only will publicly traded organizations be on the clock to report (as we shall discuss in a moment), but the wide scope could pose a resource challenge for some.

Four Days to Report

Perhaps one of the greatest pressures an organization will face is the four days to report. In the past, an organization may have been able to buy some time during the internal or external investigation phase. Instead, this pretty much puts a lid on any potential time-buying during that phase. The SEC concedes that delay in reporting may facilitate law enforcement investigations. It also says that “on the balance” timely disclosure of incidents cannot justify delayed information to investors.

So many events fall within the defined scope of “cybersecurity incidents”. Will filing a Form 8-K become a daily task? The key is “materiality”, and, sadly, there is a bit of a grey zone.

Materiality Over Discovery

If you are an IT or cybersecurity worker, you might be wondering whether the lawyers should be the ones reading this. We would completely forgive you. However, you will also have a role to play. The emphasis on “materiality” over “discovery” makes perfect sense. So many cyber-related attacks happen today. A security operations center could discover an “incident” multiple times a day. “Materiality” is the difference, but its meaning is not clear.

Within Section II.B.1., there are some guidelines that rely heavily on securities case law. However, no clear and bright borders are made. For example, we see phrases such as “there is a substantial likelihood that a reasonable shareholder would consider it important” or “particularly in view of the prophylactic purpose.” Another says “thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors.” You will also find a whole bunch of footnotes and citations to case law.

The proposed rule changes even state that “materiality” could come at discovery, but in other instances, well after discovery. It is the “materiality” aspect that starts the clock on the four-day turnaround to report. This can get really wild if your artificial intelligence security solution makes the call one way and the human overrides it!

What Makes Materiality Important?

These rules will impact public companies, private equity firms and investment houses if they go into effect. That’s the case even if they are not impacted by the material incident directly. Here is why: investment decisions are impacted. Will a private equity firm change its trading portfolio position based on this reporting? It very well could. Many investors base their decisions on Form 8-K disclosures.

For private equity firms, what happens if an incident impacts one of their investments? That could impact its own reporting. This can get tricky if the portfolio is wide, diverse and lacks any common criteria for business impacts. In the end, all of those things could inform the decision.

Determining Materiality

Knowing what matters to your organization is both art and science. You will need some multi-stakeholder input. As we discussed in the organizational resilience series, you need to keep an eye on thresholds, impact matrices and escalation triggers included in your business continuity, disaster recovery and crisis management processes. We noted how important it is to ensure the technology owners and business owners are working together to determine criticality and recovery strategies. Well, time to leverage that work and add one more stakeholder: legal counsel (including your external counsel).

Working together, these parties can come together and make reasonable determinations on what a future “material cybersecurity incident” looks like. In doing so, the spirit of the proposed rule changes will likely be met, or at least be defendable. If you are a leader of a publicly traded company, remember, if something goes afoul, after the SEC is done with you, there may be a congressional hearing in your future. If your organization makes a conscious decision to not deem a cybersecurity incident a material one (and therefore not report it), you are going to have to be able to defend that position. Using your criticality matrices – if well-crafted with appropriate stakeholder input – may minimize the pain. And that gives you the chance to win back some of your lost investor confidence.

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…