News + Resources

Background 

At the end of July 2023 the US Securities and Exchange Commission (SEC) published new requirements on listed companies for reporting cyber incidents, and how companies must report on their processes to deal with cyber risk, including management ‘s role and Board oversight.  They wanted to go further – including mandating that companies should disclose the cyber expertise of their Boards – but stayed their hand.  Good start – for now. 

Detail 

Win Some… 

The announcement and consultation have been well trailed.  The net result represents progress.  Companies registered with the SEC are now required:  

• To report material cyber events via the 8-K process within 4 business days (notwithstanding any further debate around definitions of materiality).  
• Through the 20-F form, to disclose their Boards ‘oversight’ of risks from cyber security threats; and explain management’s role in assessing and managing ‘material’ risks from cyber security threats; and 
• Through the 6-K form, to report into SEC any disclosures of a material cyber breach to any foreign regulatory authority. 

While the hope is that companies already have processes in place to report cyber posture, the new SEC requirements will certainly require them to improve their processes if they are to be able to report at all. 

….Lose some 

The SEC had floated the proposition that companies should publish statements on the cyber expertise of their boards.  Ultimately the SEC decided not to include this in the regulations on the basis that it was better to have the technical acumen at the management level, reserving to Boards the higher functions of risk management and strategy.    

So what? 

While the decision not to mandate disclosure of cyber expertise at the Board level feels like a cop-out, it is probably the right answer for now – It would be very hard for the SEC to determine different levels of competence; skilled labour of this sort is rare and expensive; and the SEC telling industry how they construct their boards feels a little removed from a more standard regulatory role telling companies what they should report, sufficient to reinsure investors and customers alike. Our concern is that if the Board is accountable for the professional stewardship of company assets, including data, some cyber expertise might help – else the Board can plead ignorance and blame it on the IT guy.  The changes in disclosure rules will help – if it goes in an 8-k document, the Board will need to sign off anyway. 

The new disclosure requirements are overall a good thing, however.  While not wishing to make life easier for the hackers by revealing too much detail about the defences deployed by companies, it is important that companies realise that to maintain customer and stakeholder confidence they have to take the cyber threat seriously and architect their businesses accordingly.  The obligation to disclose a material cyber event within 4 business days is also welcome: customers, staff, shareholders and regulators all need confidence that companies have a grip on cyber risk management.  We expect other jurisdictions to follow suit. 

As ever, should you wish to discuss this issue or any other cyber risk management questions, please don’t hesitate to contact us.  #astaaracyber #resilienceandrecovery