2 Takeaways from First 10-Ks under New SEC Cyber Risk Disclosure Rules
Public companies are beginning to file the first Form 10-K annual reports after the Securities and Exchange Commission (SEC) new rules on material cyber risk disclosure went into effect at the end of 2023. At first look, most (but not all) filers took the challenge seriously to meet the spirit and the letter of the rules. At the least, investors don’t have to hunt around for cybersecurity disclosures anymore; they’re in the tables of contents as the new “Item 1C”.
To review, the agency wants filers to disclose in 10-Ks (according to the Final Rule):
1. ”Processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats…
2. ”The board of directors’ oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats.”
(Note: the SEC also promulgated new requirements for Form 8-K that mandate rapid reporting of material events. )
How did the initial 10-K filings approach compliance? Here are some takeaways from the admittedly few filings to date:
1. ‘Material Risk’ Still to Be Pinned Down
Filers are expected to “identify” material risks but the SEC doesn’t say exactly how. In a panel discussion at the 2023 FAIR Conference, David Hirsch, the cyber enforcement chief for the agency, advised defining materiality by asking a simple question, “Is this type of information our investors care about?” Ultimately, investors care about financial impact on the company and, as FAIR Institute President Nick Sanna pointed out in a blog post What the New SEC Regulation Means for Risk Management:
Companies will be expected to have the ability to break down and quantify how losses materialize for their top cyber risks and incidents. This will be a forcing function for companies to adopt trusted cyber risk quantification models such as FAIR and adopt tools that provide them with visibility into their top risks as key enablers for determining and communicating risk and incident “materiality”.
In the initial batch of filings, only one company, Netflix tried to advance that ball:
We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards.
(Note: Netflix is a longtime FAIR shop and frequent presenter at FAIR Conferences. Example: 5 Objections to FAIR and How to Overcome Them – Lessons from the Netflix FAIR Program)
Other filers appeared to focus on the requirement to disclose “processes” and buried the “materiality” distinction in general descriptions of their cybersecurity programs. For instance, defense contractor Lockheed Martin reported:
We use a proactive risk management strategy that we developed and implemented called the Intelligence Driven Defense® model that seeks to identify and prevent cybersecurity incidents by understanding the nature of adversaries and using this information to minimize the impact of an attack…Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process.
2. Board of Directors and Management Roles Are Described – and Raise Personal Liability for CISO’s?
The recent 10-Ks generally do a thorough job of reporting on processes for board oversight of cyber risk, not a new topic for SEC filers. Here’s an example from Schlumberger:
The Audit Committee of the Board of Directors oversees SLB’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team briefs the Audit Committee on the effectiveness of SLB’s cyber risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the SLB Board of Directors, at least annually, as part of the Company’s corporate risk mapping exercise.
The new development in 10K’s: Companies are meeting the requirement to detail “management’s role” by placing the CISO (and comparable titles) front and center. Here’s the Intel 10-K:
Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Executive Vice President and Chief Technology Officer (CTO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team…Our CISO has served in that position since 2015 and, before Intel, was previously the Chief Security Officer at McAfee and the Chief Information Officer and CISO for the US House of Representatives.
And United Rentals:
The Company’s Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our Chief Information Officer has over a decade of experience leading cyber security oversight…
Now, this is a fraught issue for CISOs and similar roles. In October, 2023, the SEC charged SolarWinds and its CISO Timothy G. Brown with fraud and internal controls failures during a massive two-year cyber attack attributed to Russian threat actor APT29 AKA Cozy Bear. The company denies the charges. The charges were a shock coming from an agency that rarely targets one individual so extensively.
The SolarWinds case followed another shocking case for the CISO profession: the criminal conviction in 2022 of Joe Sullivan, CSO at Uber, on US federal crimes for concealing a security breach and ransomware payoff at the rides company, an incident that centered around a failure to disclose to the Federal Trade Commission.
Could a failure by a CISO to recognize a material event cascade into a series of internal controls failures followed by disclosure failures resulting in personal liability for the CISO? One takeaway for sure: Handle “assessing, identifying, and managing” material cyber risk carefully, systematically and defensibly.
View this Sponsored Webinar on Demand: CISOs and Personal Liability in 2024: How Not to be Singled Out by the SEC
FAIR Institute Resources for SEC Compliance on Cyber Risk
The Institute created the FAIR Materiality Assessment Model (FAIR-MAM™) to support the risk management community in measuring and managing material cyber risk. FAIR-MAM is an extension of the Loss Magnitude side of the original FAIR model that enables risk managers to quickly and accurately disclose material risks on Form 8-K
How Material Is that Hack? The FAIR Institute’s informational website that leverages the FAIR-MAM standard for estimating loss magnitude from a cybersecurity incident and is aligned to the SEC requirements for reporting materiality on an 8-K.
Watch the FAIRCON23 Video: How CISOs Can Get Ready for New SEC Cybersecurity Rule, with SEC Cyber Enforcer David Hirsch and Wall St. Journal editor Kim Nash