While the ink is still drying on many 2023 Form 10-Ks, Protiviti has reviewed a subset of the filings to gauge how firms are responding to the U.S. Securities and Exchange Commission’s (SEC’s) amended Cybersecurity Disclosure Rule adopted in July 2023.
Our review included a sample of 2023 10-Ks that were filed subject to the new requirements, as well as a series of 8-K cybersecurity incident reports issued since the 8-K requirement went into effect in mid-December 2023. This element of the rule requires disclosure within four business days following the determination that an incident is material. This can include incidents that occur at a third-party organization, as well as multiple incidents determined to be material in aggregate. However, this reporting window is subject to relief, as certain filing delays are permitted due to risks to national security or public safety.
The SEC’s new cybersecurity disclosure rules are designed to require companies to provide investors with information that can help them better manage risk in their portfolio, given how costly and disruptive cybersecurity incidents can be to a business. According to the 2023 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3), potential losses from cybercrime surpassed $12.5 billion last year — a 22% increase from 2022 and a new record high.
The following is an overview of some key takeaways from our analysis.
Form 8-K Filings: Differing Interpretations of the Materiality Requirement
Protiviti’s analysis of cybersecurity incident-related 8-K filings reveals that companies are generally taking a conservative approach toward reporting cybersecurity incidents. That is, there is an apparent willingness to disclose incidents even when materiality has not yet been fully established. One might conclude from this early trend that registrants would rather err on the side of caution rather than risk not disclosing when — potentially later in hindsight — they should have. Registrants may also be considering that a generic disclosure will help them actively manage the public narrative when cyber events occur.
When considering how materiality was described in these disclosures, many filers distinguished between operational and financial materiality while the rule itself focuses on a single concept of materiality that can incorporate both operational and financial elements (in addition to other factors). This trend in early 8-K cybersecurity incident disclosures may blur the critical question of materiality. Additionally, given this reporting trend, it is perhaps not surprising that there is often an absence in the descriptions of the material impact or likely material impact, although the SEC specifically calls out the need to describe the incident’s material impact or likely impact. We have already seen one filer that was reprimanded by the SEC for not following disclosure requirements.
Avoiding vagueness in these disclosures to the degree possible is advisable, as it is likely that the SEC may request more information from some companies about the scope and impact of the cyber incidents they disclosed on Form 8-Ks. In one such case, a filer issued an 8-K amendment a day later clarifying its stance on whether the incident was in fact material, as its original filing was indeed vague on this point.
Here is a closer look at several key findings from our qualitative analysis of recent Form 8-K filings:
Timing and Nature of Disclosures
Broadly, the level of detail provided in 8-K cyber incident disclosures varies significantly. Some companies provide extensive information about the nature of attacks and their containment strategies. Others take a high-level approach, revealing information sufficiently general that it could apply to almost any cybersecurity incident, perhaps positioned so as to not provide a “road map” for potential bad actors to exploit.
Since the SEC’s rule requires companies to report incidents within four days after determining an incident (or a series of incidents, in aggregate) is material, but does not require disclosing either when materiality was determined or how long registrants took to evaluate the incident (or series of incidents) to determine materiality, it is not currently possible to determine whether companies are reporting incidents “timely.”
Incident Response and Recovery
Some other notable takeaways from Protiviti’s evaluation of recent 8-K filings include the following findings related to incident response and recovery:
- Immediate actions: Companies generally described taking prompt actions — such as isolating affected systems and conducting forensic investigations — once an incident was detected.
- Engagement with authorities: Most companies reported that they had notified relevant law enforcement agencies and were working in collaboration with them as required.
- Communication protocols: Many of the disclosures we evaluated referenced specific communication protocols for internal reporting and external communication with stakeholders.
- Business continuity and recovery: Reports often mentioned activation of business continuity plans to minimize service disruptions. However, we found that details on the effectiveness of these plans or time frames for full recovery were frequently omitted.
Form 10-K Filings: Most Firms Cite Cyber Response Readiness, But Many Cautiously Offer Few Details
Protiviti’s evaluation of companies’ disclosures in Form 10-K filings found that almost all companies acknowledge cybersecurity as an important aspect of their risk oversight, although the level of detail provided in the filings varies widely. Most companies have at least one board-level committee charged with cybersecurity oversight; however, there is a notable split in the type of committee involved in that process — and it appears that the composition of many of the designed committees has limited cyber experience. While most companies said they assign this role to their audit committee, a significant percentage noted that they rely on other management-level committees, like risk or technology committees, which then report to the audit committee.
As for management’s role in the oversight of cybersecurity risks, we found that almost all companies agree that identifying a functional leader for cybersecurity matters and providing periodic cybersecurity-related reporting to the board are critical practices. When it comes to disclosing the frequency of such reporting, however, we found that fewer firms included specific language about how often this reporting occurs.
Additional findings from our review of companies’ Form 10-Ks are as follows:
- Cyber risk mitigation efforts: Nearly all companies referenced efforts to mitigate cybersecurity risks through established processes, procedures and systems. A smaller yet significant majority of companies disclosed alignment with external frameworks or standards. This is a positive trend, but it also suggests there is room for improvement in adopting recognized best practices.
- Response readiness: A strong majority of companies mentioned their readiness to respond to cyber incidents, including planning and recovery considerations. However, we found that nearly one-quarter of the companies reviewed are not explicitly discussing their preparedness strategies.
- External advisors: A significant portion of organizations reported that they use external independent advisors for cybersecurity matters. This could reflect an awareness that third-party expertise is beneficial or necessary for effective cyber risk management or incident response.
Overall, our analysis of this subset of 10-K filings helps bring dimension to an evolving landscape where it seems most companies are taking positive, substantial steps toward instituting robust cyber governance practices. That said, it is evident that some areas remain open for further development or standardization.
An Opportunity to Optimize Cybersecurity Processes and Programs
Now that companies are settling into the SEC’s new requirements, they will want to consider refining their approach to reporting and disclosures for future Form 8-K and 10-K filings. As with past “new disclosure” requirements, the SEC will likely become less tolerant over time about vagueness in this reporting, and companies can take notice of any comments and responses between the SEC and registrants regarding this disclosure.
First and foremost, 10-K disclosures about a registrant’s cybersecurity governance and risk management programs must be rooted in fact and reflect operationalized processes, avoiding aspirational or planned improvements. The SEC’s response to SolarWinds’ chief information security officer’s lack of transparency about known cybersecurity risks and alleged failure to comply with the U.S. securities laws serves as a cautionary tale.
As registrants continue to comply with the rule and as 10-K and 8-K disclosures naturally evolve and, perhaps over time, improve the alignment of disclosures with the intent of the rule, Protiviti recommends that companies take the opportunity now to further improve their cybersecurity risk management and governance practices, incident identification, response and reporting processes, and determination of incident materiality, among other aspects of the spirit and letter of the rule.
Protiviti’s technology audit and advisory practice and cybersecurity consulting teams have worked extensively with clients to help them align their processes with this rule and avoid potential compliance pitfalls. Cybersecurity program assessments, internal audits, facilitated tabletop exercises, review of disclosures and incident response plan assessments are some of the key mechanisms we have used to help our clients improve their overall compliance posture. While the veil of uncertainty has, to an extent, been lifted with respect to what compliance with the rule looks like, we believe there is still significant room for improvement and alignment in how registrants are approaching compliance.
Add comment