News & Blogs

Navigating New SEC Cybersecurity Disclosure Rules: Lessons from Recent Breaches

North America · · linkedin.com

This article examines the new SEC cybersecurity disclosure rules, effective December 15, 2023, by analyzing how companies like Okta, Clorox, and 23andMe handled significant cyber incidents prior to the rule's full enforcement. It highlights key considerations for CISOs, CFOs, and financial reporting personnel regarding the timing, nature, and materiality of disclosures, emphasizing the importance of proactive communication and understanding the nuances of the 8-K filing requirements.


Understanding the New SEC Cybersecurity Disclosure Landscape

The Securities and Exchange Commission's (SEC) new cybersecurity disclosure rules, particularly Item 1.05 of Form 8-K, are a critical development for publicly traded companies. Effective December 15, 2023, these rules mandate timely and comprehensive reporting of material cybersecurity incidents. Internal audit and assurance professionals must understand these requirements to guide their organizations in compliance and risk management. The core challenge lies in determining the materiality of an incident and disclosing it within four business days of that determination, not necessarily the discovery date.

Key Disclosure Elements and Challenges

The article emphasizes several key aspects of the new disclosure requirements:

  • Timing: The four-business-day clock starts ticking from the determination of materiality, which should occur without unreasonable delay. This distinction is crucial, as illustrated by the Okta example where a significant time lapse between incident and disclosure might have been questioned under the new rule.
  • Nature of the Incident: Companies are expected to describe the nature of the cybersecurity incident. While remediation steps are not strictly required for disclosure, proactive companies like Okta included them to mitigate reputational risk.
  • Materiality: This remains a central, and often subjective, consideration. Companies like Clorox and 23andMe provided financial impact assessments and details on class-action lawsuits, respectively, to articulate the materiality of their breaches.

Lessons from Pre-Rule Disclosures

By examining the disclosures of Okta, Clorox, and 23andMe, the article offers valuable insights for internal audit and assurance professionals:

  • Okta: Their disclosure, filed as an Item 7.01, highlighted the importance of addressing the incident's timeline and the potential scrutiny over delays in materiality determination. Proactive communication of remediation efforts can be beneficial.
  • Clorox: This case demonstrates the significance of clearly articulating the financial impact of a cyber incident, including effects on sales, margins, and earnings per share, to establish materiality.
  • 23andMe: Their amended filing showcased the need for detailed information on the incident's timing, nature, estimated costs, and the potential for legal repercussions, all contributing to the assessment of materiality.

These examples underscore that while the new rules provide a framework, the interpretation and execution of disclosures will require careful consideration and collaboration among legal, financial, and cybersecurity teams. Internal auditors play a vital role in ensuring that processes are in place for timely incident identification, materiality assessment, and accurate reporting to meet these evolving regulatory demands.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →