A Board Lens on the SEC’s Final Cybersecurity Rules

by John H. Rodi and Patrick A. Lee

The SEC's latest cybersecurity rules mandate companies to disclose significant cybersecurity incidents on Form 8-K and provide comprehensive details about cybersecurity risk management and governance in Form 10-K, necessitating boards to reevaluate oversight and collaborate for effective compliance.

©Thapana Onphalai/iStock/Getty Images Plus

The SEC’s long-awaited final rules on cybersecurity—as detailed in numerous summaries—greatly expand companies’ cybersecurity disclosure obligations. The rules require public companies to disclose material “cybersecurity incidents” on Form 8-K and disclose material information regarding their cybersecurity risk management, strategy, and governance in their annual reports on Form 10-K. Notably, the rules do not require companies to disclose board-level cybersecurity expertise, do not require aggregating unrelated non-material cyber incidents, and more generally, narrowed in certain respects the information to be disclosed. Nonetheless, the expanded disclosure requirements will be a significant undertaking for management and will require more robust oversight by the board.

To that end, we highlight the following areas for particular attention by the board and board committees that have oversight responsibility for aspects of cybersecurity risk and disclosures. 

Cybersecurity governance disclosures 

The final rules require that, in its Form 10-K, a company “[d]escribe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.” In preparation for this disclosure, boards should reassess how the board—through its committee structure—assigns and coordinates oversight responsibility for the company’s cybersecurity risk. 

Boards are taking various approaches to oversight of cybersecurity risk. For many, oversight is housed with the audit committee. Even if cybersecurity oversight is housed with the full board or a different committee, such as a technology committee, the audit committee will still need to oversee the effectiveness of internal and disclosure controls and procedures relating to cybersecurity. When multiple committees are involved, information sharing, communication, and coordination among committees and with the full board is essential. The board should help ensure the necessary processes are in place to accomplish this.

The governance disclosure must also describe management’s role in assessing and managing the company’s material risks from cybersecurity threats. The preparation of these governance disclosures will take time and care, and likely require a reassessment of the boards and management’s current cybersecurity governance processes, as well as existing governance disclosures. Boards should be working with management teams now as management prepares for the upcoming Form 10-K disclosures.

Cybersecurity risk management and strategy disclosures 

The final rules require that a company describe in Form 10-K its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. The rules also require that the company describe whether any risks from cybersecurity threats, including because of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.

The preparation of these risk management and strategy disclosures will require a reassessment, and perhaps modification, of the company’s existing risk management processes and related disclosures. Again, boards should be working with management now as management prepares for the upcoming Form 10-K disclosures.

Management’s cyber incident response plan 

Public companies will be required to report information regarding a material “cybersecurity incident” on Form 8-K within four business days after the company determines that the incident was material—not from the time of discovery of the incident. And companies must make materiality determinations “without unreasonable delay” after discovery of the incident. Information to be disclosed includes a description of the material aspects of the nature, scope, and timing of the incident, as well as the material impact (or reasonably likely material impact) on the company, including its financial condition and results of operations.

If the US Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing, disclosure may be delayed for a maximum of 60 days (about 2 months). Updated incident disclosures on an amended Form 8-K are required for any new information about a previously disclosed material incident that was unavailable or undetermined at the time of the initial Form 8-K filing. 

Management’s cyber incident response policies and procedures, including disclosure controls and procedures, must be reviewed and updated to provide for the timely consideration of materiality—while management is engaged in remediation and investigation efforts. This would include a clear delineation of responsibilities of management’s cybersecurity and risk management teams, management’s disclosure committee, and the legal department, as well as escalation procedures for determining materiality and the preparation and review of disclosures. 

Escalation protocols should also include when the board is notified and how internal and external communications are handled. Management and the board should conduct tabletop exercises to test management’s response plans and procedures, including protocols for documenting incidents, evaluating for materiality, and drafting Form 8-K disclosures—and refine response plans and procedures to reflect what is learned from those exercises. Incident response plans should also be updated to take into account the changing cyber risk landscape.

Consideration of “materiality” 

The final rules require companies to make a materiality determination “without unreasonable delay after discovery of the incident.” While the definition of materiality has not changed, applying that standard in the context of a cybersecurity incident is not straightforward. In its final release, the SEC said that companies should consider qualitative factors in assessing the material impact of an incident, and indicated that harm to a company’s reputation, customer or vendor relationships, or competitiveness, and the possibility of litigation or regulatory investigations or actions, may be examples of material impacts. 

Audit committees and boards should confirm that management has in place policies and procedures for making the materiality determination, including the identification of significant cyber incidents that should be escalated and discussed with management’s disclosure committee and legal team for final materiality determination, and documenting its materiality determinations. 

The role and composition of management’s disclosure committee 

Given the expanded cybersecurity disclosure obligations, companies may need to reconsider who serves on management’s disclosure committee and the role and responsibilities of the committee in developing and maintaining cybersecurity-related disclosure controls and internal controls and procedures. What resources and processes does the committee require to make a timely determination of materiality in the event of a cyber incident?

Expansion of management’s sub certification process  

The management’s disclosure committee supports quarterly CEO and CFO certifications of the effectiveness and design of the company’s internal controls and disclosure controls and procedures required by Section 302 of the Sarbanes-Oxley Act. The disclosure committee typically maintains a sub certification process involving cascading sub certifications from employees regarding the company’s internal controls to support the CEO and CFO certifications. Given the expanded scope and detail of the company’s required cybersecurity disclosures, the sub certification process should be expanded, as necessary, to obtain new cybersecurity-related sub certifications.

While many companies began preparations for the SEC’s cybersecurity rules some time ago, the July release of the final rules provides a clearer line of sight for management’s compliance efforts, and for the key areas that will likely require heightened board focus.

John H. Rodi and Patrick A. Lee are Leader and Senior Advisor, respectively, of the KPMG Board Leadership Center.