Beginning Dec. 18, the Securities and Exchange Commission is expected to begin enforcing a major provision of its new cybersecurity rules.
That provision requires public companies to disclose any “material cybersecurity incidents” to the agency on form 8-K within four days of determining that it was a material breach.
To be ready for compliance, companies by now should have taken steps to ensure they have policies and procedures in place for quickly assessing materiality as part of a larger cybersecurity program — a process that can take weeks, at a minimum, according to cybersecurity advisors.
“Hopefully, nobody’s in a position where they’re just starting to think about this,” said Richard Chambers, a senior internal audit advisor for Los Angeles, California-based AuditBoard, a provider of cloud-based audit and compliance management services. “But if they are, the answer isn’t to say, ‘Well we’re just not going to be able to comply.’ That’s not an option. You need to do everything you can as fast as you can to get into compliance.”
Ideally, one of the many questions companies need to consider as part of the preparation process is what financial drivers may impact materiality for their organization, according to Maxim Kovalsky, a managing director in the Cybersecurity & Privacy practice at Grant Thornton.
“It’s going to be very specific to your company,” said Kovalsky, who will be one of the speakers in a Friday webinar on materiality issues hosted by Grant Thornton.
The Dec. 18 compliance deadline applies to all covered entities other than smaller reporting businesses, which will be subject to the breach reporting mandates as of June 5 of next year.
Under the rules, in addition to reporting material breaches, public companies must annually describe on form 10-K their board of directors’ oversight of cybersecurity risks. All companies must comply with the Form 10-K requirements beginning with annual reports for fiscal years ending on or after Dec. 15.
A little more than half of public company executives responding to a Deloitte poll in August said their organizations were already preparing to comply with the SEC rules, as previously reported by CFO Dive. About one-quarter (26.1%) of the companies were not prepared for compliance, and 20.9% fell into the category of “don’t know” or “not applicable,” according to the results.
Many companies are still wrestling with materiality questions, at varying levels, with just days to go until the SEC begins enforcing its breach reporting requirements, according to Daniel Soo, a principal in the cyberrisk services infrastructure practice of Deloitte Risk & Financial Advisory.
“There would be quite a bit of work to do at this point if you’re starting from scratch,” Soo told CFO Dive. “It certainly should be a super high-priority to make sure that you are ready to comply.”
Kovalsky said larger publicly traded companies generally appear to be “in a better spot” from a compliance-readiness perspective.
“In general, I think it has to do with the maturity of the cyberrisk program at that organization,” he said. “If a company has never done a risk assessment, they would have a long way ahead of them in terms of being able to articulate any cyberrisks and processes that need to be articulated to investors.”
Tips for Stragglers
For any companies that are still lagging behind in their preparation, communication and collaboration will be key in getting up to speed quickly, according to Chambers.
“I think one of the most effective ways to get your arms around this is to bring all of your key players within the organization — including the board and senior management — into a room together to get everybody on the same page,” he said. “That means making sure you have a keen understanding of what the requirements are, making sure you have a keen understanding of where the risks are in failing to comply, and then figuring out how you’re going to mitigate those risks in as little time as possible.”
Ensuring documentation of any steps taken so far to achieve compliance readiness is also important, according to Kimberly Holmes, a Dykema Gossett PLLC senior counsel whose areas of focus include data privacy and cybersecurity.
“Obviously, from a compliance standpoint, the best scenario is to be able to meet all of these deadlines,” Holmes said. But for those organizations that aren’t completely ready on Day One, having documentation showing what has been executed so far and what next steps are planned, with timelines, will “go a long way” toward mitigating any potential liability in the event of an incident that draws regulatory scrutiny, she said.
Lenin Lopez, an attorney specializing in corporate governance and securities law at insurance brokerage firm Woodruff Sawyer, offered stragglers a third piece of advice: get help from outside counsel with cybersecurity expertise.
“I think it’s beyond the time when you as a management team can think about doing this on your own,” Lopez said, adding that it’s also easier to shield consultations with outside counsel from discoverability in the event of future litigation. “Obviously, if you have in-house counsel, there is attorney-client privilege, but plaintiff’s attorneys will push on that sometimes.”