The annual disclosure must include “processes, if any, for assessing, identifying, and managing material risks from cyber- security threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” Domestic and foreign filers alike are included in the rules, with
U.S. companies being required to disclose incidents on Item 1.05 of Form 8-K and the annual disclosure on Item 106 of the Form 10-K. Foreign filers must make “comparable disclosures” on Form 6-K for incidents and Form 20-F for the annual disclosure. It seems simple enough, but we probably all raised our eyebrows
on the number of times “material” is used in those descriptions. So, how do we determine cybersecurity materiality?
Determining Materiality The rule of thumb that IROs are familiar with in determining materiality per federal securities law is the “reasonable investor” test. For cybersecurity, there are two primary considerations that can help in making this determination.
Risk to data: Risk to data is a significant consideration when de- termining the harm that may result from a cybersecurity incident. While legal and technical considerations and risks are voluminous, from a communications perspective, a full analysis of the confirmed risk to data may take weeks or months to complete thoroughly and effectively. Without a thorough analysis with confirmed impact to individuals, organizations disclosing unauthorized data access run the risk of causing harm and panic among their customers, employees, and investors without providing any recourse. What’s worse, an organization that inaccurately suggests a limited or non-existent risk to data may risk causing a lasting negative impact to its credibility and trustworthiness if those statements are later deemed incorrect.
Risk to operations: In addition to data, operations may be impacted, as was the case for the companies mentioned in the beginning of this article. When operations are affected, revenue, costs, and more may be negatively impacted as well. And costs will include a company’s efforts to respond to and remediate an incident. IROs and their executives should work with their legal teams and external advisors (as applicable) to make determinations on materiality.
Recent Disclosure Patterns In terms of annual process and risk management disclosures, there has been significant variability in the approach companies have taken since the rule has been in effect over the past few months.
16 SPRING 2 0 24 ■ IR UPDAT E
DragonGC Co-founder and Chief Product Officer Neil McCarthy told Governance Intelligence that while 10-K disclosures have generally all described the board committee that has been charged with oversight (usually the audit committee) and the person who oversees cyber decisions (usually the chief information security officer, or CISO), there have been differences in specific structures and approaches based on each company’s operational needs and strategy. Te Wall Street Journal reported that while companies tend to go beyond what the SEC requires to be disclosed, certain helpful details are not yet being discussed, such as a company’s criteria for materiality.
Preparing for a Cybersecurity Incident With cybersecurity incidents becoming commonplace, companies and IROs must be prepared to respond from a communications perspective. Tere is the operational aspect of being prepared: cybersecurity
must be integrated into corporate governance, and a company must have a thorough understanding of its current cybersecurity infrastructure, including policies, risks, controls, and vulnerabilities. Having an incident response plan in place is table stakes, and
practicing with tabletop exercises is key to perfecting your response. IROs are critical players to implementing these plans and therefore must be “in the room” when a crisis response is being formulated and know what their specific roles and responsibilities are. As is the case in many crisis situations, a well-planned and well-executed communications plan can enable an organization to protect its reputation in the face of disruptive events. As with any crisis communications plan, an effective cyberse-
curity incident communications strategy includes a clearly defined communications playbook. That playbook should include the following four components: 1. Understand the stakeholder universe. Who must be informed, and who should be informed? For the former, considerations include regulatory requirements and the potential for law enforcement support. For the latter, a strategic approach may be beneficial as there is an opportunity to provide appropriate levels of transparency – within legal guardrails – to build goodwill for the road ahead as the company works towards resolving and remediating the incident. Timing is a key consideration in this category as well. A company should know when it is required to report certain information, and when information should remain confidential until it is known with certainty.
2. Establish a team of communications “first responders.” Tese are people who are pre-approved to act as spokespersons throughout the crisis. Tese individuals should have executive
niri.org/ irupdate
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48
