A few days ago, a colleague posed a pointed question: Does the SEC’s new materiality ruling truly make a difference? While I previously highlighted the ruling’s potential impact in “Data Governance Gets a New Impetus,” it’s worth revisiting whether this shift will matter to management teams or simply add another layer to the compliance checklist.
What Is Required Again
To be honest, it was a friendly CIO, Wayne, who opened my eyes to the significance of the SEC’s recent ruling on cybersecurity materiality and management. His insights illuminated how this regulatory shift fundamentally alters the game for every company, transforming data cybersecurity from a niche concern into a boardroom imperative. As I noted in my previous article, the SEC ruling integrates security with data governance, elevating it from the backrooms of IT departments to a board room discussion.
Wayne’s perspective underscored that the SEC’s mandate is more than just a compliance hurdle; it’s a strategic game-changer. The ruling demands that companies file a Form 8-K within four business days of determining they have a “material cybersecurity incident.” This form requires a detailed account of the incident’s characteristics, timing, and significant consequences, particularly regarding financial health and operational results. This new requirement forces companies, also, to swiftly assess and report on the materiality of such incidents, adding a layer of urgency to their data governance strategies.
Furthermore, the SEC now requires registrants to disclose their cybersecurity risk assessments and management processes in their annual 10-K reports. This includes detailing how these risks have impacted or could impact the company materially and outlining the board’s role in overseeing and mitigating these threats. In an era where data breaches can remain undetected for months, data governance must rise higher in the boardroom agendas. The critical focus is on assessing the scope of compromised data and demonstrating due diligence in its protection.
However, the rapid expansion of data across various cloud service platforms (CSPs) presents a challenge. Companies often struggle to locate and manage dispersed or dormant data stores quickly. Analyst firms have identified this issue as a core challenge in data security posture management (DSPM). DSPM solutions aim to detect and categorize uncategorized data, both structured and unstructured, assessing it for security and privacy risks as it moves through different channels and regions. Addressing this issue is crucial for maintaining effective data governance and ensuring robust cybersecurity defenses.
Why The SEC Regulation Has Real Teeth
In “Cyber Disclosure Rules: Lessons Learned So Far In Year One,” Jim DeLoach, Managing Director at Protiviti, highlights a pivotal shift in the landscape of cybersecurity accountability. For CISOs and CFOs, the SEC’s ruling has made personal accountability a significant concern, emphasizing that executives must now understand their individual responsibilities in ensuring the accuracy of their company’s disclosures. This new layer of personal risk has heightened awareness, as people tend to take issues more seriously when personal consequences are at stake.
The recent SEC charges against SolarWinds and its CISO underscore the gravity of this accountability shift. On October 30, the SEC accused SolarWinds of fraud and disclosure failures related to known cybersecurity vulnerabilities. The complaint alleges that the company and its CISO misled investors by overstating cybersecurity practices and concealing risks from a prolonged cyberattack. This case signals a clear message: CISOs and other executives are now held to the same standards of accuracy in public filings as CFOs and CEOs.
The SEC’s scrutiny extends to how companies go about reporting cybersecurity incidents. Recently, the Commission reprimanded a filer for vague language regarding materiality in their 8-K incident report, demonstrating a lack of tolerance for ambiguity. Companies that disclose incidents without a clear materiality determination or use generic boilerplate language are at risk of falling foul of the SEC’s rigorous standards. As a result, organizations are encouraged to provide specific and detailed reports to avoid regulatory pitfalls and align with the SEC’s expectations.
Imperative for a CISO/CFO Partnership
DeLoach underscores the complexity of the SEC’s new ruling, which demands a deep and nuanced understanding of various domains: cybersecurity, incident response, data governance, financial reporting, investor relations, regulatory compliance, and risk management. According to DeLoach, this multi-faceted approach necessitates a close, collaborative relationship between CFOs and Chief Information Security Officers (CISOs). This partnership is vital for navigating the intricate demands of materiality evaluations and reporting. I would add data governance leaders as a key connection point.
DeLoach advocates for two-way education between CFOs and CISOs. CFOs should educate CISOs on materiality assessments and how to effectively communicate these findings to the board. Conversely, CISOs must guide CFOs on understanding recovery costs, remediation efforts, and the implications of single versus aggregate breaches. Furthermore, CISOs need to help finance leaders grasp the nature of compromised data, be it personally identifiable information or valuable intellectual property, and the complexities of recovery efforts.
For CFOs, a deep understanding of incident identification, response protocols, and the nuances of cyber risk mitigation is essential, especially considering the SEC’s detailed requirements for 10-K filings. Similarly, CISOs must become conversant with financial aspects to ensure comprehensive and accurate reporting of cyber incidents in 8-K filings. Establishing a robust partnership between CFOs and CISOs, with clear guidelines and processes for defining, identifying, responding to, and reporting material cyber incidents, is imperative. In this collaborative framework, data governance plays a crucial role, serving as a vital support system for effective management and reporting.
Parting Words
The SEC’s new materiality ruling is a game-changer, elevating cybersecurity from a technical issue to a critical concern for boardrooms. As DeLoach emphasizes, the ruling demands a thorough understanding of cybersecurity, financial reporting, and risk management. It requires transparency regarding any “material cybersecurity incident” and mandates detailed risk assessments in annual 10-K reports, placing data governance at the forefront of board discussions.
This shift increases personal accountability for both CISOs and CFOs, as the SEC’s stringent standards leave no room for vague language or incomplete disclosures. To address these complexities, CFOs and CISOs must build a strong partnership. CFOs should educate CISOs on materiality and reporting requirements, while CISOs must help CFOs grasp the nature of breaches and recovery processes. This collaboration is crucial for meeting regulatory demands and ensuring effective cybersecurity and data governance.