Board Alert! Decode the New SEC Cyber Rule to Shield Your Company from Digital Doom! Part 2

Materiality in relations to cybersecurity risk is another critical component of the new rule. Organization's will need to have a clear process in place to understand what constitutes a material impact to the business. To quote Andrew Wilder "There are two key actions required to get ahead of the new rule -? 1 - Work with your Executive Team and your Board to determine materiality.?? 2 - Work with your Legal and Accounting teams on new procedures for your future 8K and 10K filings.?? This is our moment to step up!" Consider the following as it relates to materiality:

Identifying and Assessing Material Business Impact: According to the SEC rule determining whether a cybersecurity incident is "material," the item applies the existing standard of materiality under the federal securities laws, i.e., something is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available."

The SEC's adopting release also stated, "Doubts as to the critical nature" of the relevant information should be "resolved in favor of those the statute is designed to protect," namely investors. Boards must work with management to determine what constitutes a material impact in their business context. This materiality determination will be an extremely challenging exercise.

The following actions can help facilitate the defining of material impact:

Business Impact Analysis: The risk management committee should conduct a thorough business impact analysis exercise. This analysis evaluates critical business processes, systems, and assets that cyber incidents may impact. By understanding the dependencies and vulnerabilities of these assets, the committee can assess the potential consequences on revenue, reputation, customer trust, and regulatory compliance.

Quantitative and Qualitative Assessments: The committee should employ quantitative and qualitative methods to assess the material business impact of cyber risk. Quantitative assessments involve assigning financial values to potential losses, such as operational disruption costs, regulatory fines, or legal liabilities. Qualitative assessments identify intangible impacts, such as brand reputation damage or customer trust loss.

Scenario-Based Analysis: Conducting scenario-based analysis helps the committee evaluate how cyber incidents can impact the organization. By simulating various cyber-attack scenarios, the committee can assess the potential consequences, including operational disruptions, data breaches, intellectual property theft, or supply chain interruptions. This analysis enables the committee to better understand the possible ripple effects and develop proactive mitigation strategies.

"The rule's inclusion of "financial condition and results of operations" is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. By way of illustration, harm to a company's reputation, customer or vendor relationships, or competitiveness may be examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant." (pages 29-30)

After an incident is determined to be material, an organization has four(4) days to disclose the incident. There are some exceptions for disclosure in the rule.

"Under Item 1.05(c), a registrant may delay making an Item 1.05 Form 8-K filing if the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Initially, disclosure may be delayed for a period specified by the Attorney General, up to 30 days following the date when the disclosure was otherwise required to be provided. The reporting delay may be extended for up to an additional 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Outside of extraordinary circumstances or an exemption order issued by the SEC, the maximum delay permitted under this exception will be 60 days."

I suspect these delays will be minimal regarding who will receive approval from the DOJ.

Understanding the Interdependencies: The definition of "cybersecurity incident" in new Item 1.05 extends to "a series of related unauthorized occurrences." The SEC states that this reflects that cyberattacks sometimes compound over time rather than present as a discrete event. Accordingly, when a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial.

One example was provided in the SEC's proposed release: the same malicious actor engages in several smaller but continuous cyberattacks related in time and form against the same company, and collectively, they are either quantitatively or qualitatively material. The SEC provided another example describing a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company's business materially.

Due to the interconnectedness of technology, Boards and management need to be able to understand the systemic impact of seemingly unrelated events that can lead to more significant impacts over time. To help with this, an organization should consider the following actions:

Mapping Critical Assets: The committee should work with relevant stakeholders to map critical business assets, including data repositories, infrastructure components, and critical applications. Understanding the interdependencies between these assets helps identify potential cascading impacts in the event of a cyber incident. For example, compromising a central server could lead to data breaches across multiple systems.

Supply Chain Risks: Boards must recognize the interconnected nature of supply chains and the potential for cyber risks to impact partners, vendors, and subcontractors. The risk management committee should assess the cybersecurity posture of critical suppliers and establish mechanisms for monitoring and managing supply chain risks. This activity includes evaluating third-party security controls, implementing contractual obligations, and conducting periodic audits or assessments.

Regulatory and Legal Dependencies: The committee should consider the legal and regulatory landscape in which the organization operates. Understanding compliance obligations, industry-specific regulations, and potential legal implications associated with cyber risk is crucial. This activity includes assessing the impact of data protection laws, notification requirements in the event of a breach, and potential fines or legal actions that may arise from non-compliance.

Integration with Enterprise Risk Management: Item 106(b)(1) will require a registrant to describe its "processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes." In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:?

Whether and how any such processes have been integrated into the registrant's overall risk management system or processes

Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes

Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider

To help ensure organizations are compliant with is portion, the Board and management should look to the following actions related to risk management:

Collaboration with Risk Management Functions: To comprehensively understand material business impact, the risk management committee should collaborate with other organizational risk management functions, such as enterprise risk management (ERM) or operational risk teams. This collaboration ensures the alignment and integration of cyber risk assessments with broader risk management strategies.

Risk Reporting and Escalation: The committee should establish transparent reporting and escalation mechanisms to inform the Board about the material business impacts of cyber risk. Regular reporting should highlight critical risks and potential impacts. This reporting enables the Board to make informed decisions and allocate appropriate resources for risk mitigation efforts.

For organizations looking to implement and optimize a corporate board risk management committee's effectiveness in addressing technology and cyber risk, it is vital to identify and understand the material business impacts of cyber risk. By conducting thorough business impact analyses, assessing interdependencies, and integrating with enterprise risk management functions, boards can gain a holistic view of the potential consequences of cyber incidents. This understanding empowers the Board and management to develop proactive strategies, allocate resources effectively, and make informed decisions to protect the organization's operations, reputation, and stakeholders' interests in the face of evolving cyber threats.

In light of the ever-increasing importance of cybersecurity and the SEC rule, corporate boards should begin to establish and optimize a dedicated risk management committee to address technology and cyber risks effectively. By assembling the right mix of expertise, defining clear responsibilities, and implementing robust risk management processes, boards can enhance their oversight of technology and cyber risks. Through proactive risk identification, assessment, mitigation, and continuous improvement, organizations can better protect their assets, reputation, and stakeholder trust in an increasingly interconnected digital world.

Articles of Interest