New SEC Rules Put a Premium on Advance Planning and Response Strategies for Cybersecurity Breaches
This article is a repost from the Spring 2024 edition of NIRI’s IR Update.
Colonial Pipeline. MGM. Change Healthcare.
At first glance, these are not companies you typically group together, but they all have the dubious honor in recent years (and even the past few months) of being victims of widely disruptive ransomware attacks.
Ransomware—a type of malware that hackers use to encrypt critical systems or data unless payment is made—can be profoundly disruptive to any organization’s operations. These attacks have become more common and more expensive to remediate and recover from.
According to Statista, more than 72% of businesses worldwide were affected by ransomware attacks in 2023 compared to 56% in 2019. Over the same period, Chainalysis reports that hackers were paid nearly $1 billion annually by firms to resolve ransomware incidents.
As scary as that is, ransomware is only one form of cybersecurity threat: Statista counted 8 million data records breached in the fourth quarter of 2023 alone, and IBM estimates that the average cost to resolve a data breach was nearly $4.5 million per breach.
These numbers show that cybersecurity incidents—whether responding to a live incident or preparing for the likelihood of one occurring—are increasingly becoming a fact of life for companies, and the costs to resolve and remediate them are significant, and often material.
With increased frequency and cost, it is little wonder that investors are focusing on their portfolio companies’ cybersecurity protocols. Adding to the scope of investor scrutiny are the new rules on cybersecurity disclosures that the U.S. Securities and Exchange Commission (SEC) announced last year.
Understanding the SEC Disclosure Requirements
Adopted on July 26, 2023, the new SEC rules on cybersecurity require both incident reporting and annual reporting on risk mitigation and governance. Material cybersecurity incidents are required to be disclosed within four business days “after a registrant determines that a cybersecurity incident is material.”
The annual disclosure must include “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
Domestic and foreign filers alike are included in the rules, with U.S. companies being required to disclose incidents on Item 1.05 of Form 8-K and the annual disclosure on Item 106 of the Form 10-K. Foreign filers must make “comparable disclosures” on Form 6-K for incidents and Form 20-F for the annual disclosure.
It seems simple enough, but we probably all raised our eyebrows on the number of times “material” is used in those descriptions.
So, how do we determine cybersecurity materiality?
Determining Materiality
The rule of thumb that IROs are familiar with in determining materiality per federal securities law is the “reasonable investor” test. For cybersecurity, there are two primary considerations that can help in making this determination.
Risk to data: Risk to data is a significant consideration when determining the harm that may result from a cybersecurity incident. While legal and technical considerations and risks are voluminous, from a communications perspective, a full analysis of the confirmed risk to data may take weeks or months to complete thoroughly and effectively. Without a thorough analysis with confirmed impact to individuals, organizations disclosing unauthorized data access run the risk of causing harm and panic among their customers, employees, and investors without providing any recourse. What’s worse, an organization that inaccurately suggests a limited or non-existent risk to data may risk causing a lasting negative impact to its credibility and trustworthiness if those statements are later deemed incorrect.
Risk to operations: In addition to data, operations may be impacted, as was the case for the companies mentioned in the beginning of this article. When operations are affected, revenue, costs, and more may be negatively impacted as well. And costs will include a company’s efforts to respond to and remediate an incident. IROs and their executives should work with their legal teams and external advisors (as applicable) to make determinations on materiality.
Recent Disclosure Patterns
In terms of annual process and risk management disclosures, there has been significant variability in the approach companies have taken since the rule has been in effect over the past few months.
DragonGC Co-founder and Chief Product Officer Neil McCarthy told Governance Intelligence that while 10-K disclosures have generally all described the board committee that has been charged with oversight (usually the audit committee) and the person who oversees cyber decisions (usually the chief information security officer, or CISO), there have been differences in specific structures and approaches based on each company’s operational needs and strategy. The Wall Street Journal reported that while companies tend to go beyond what the SEC requires to be disclosed, certain helpful details are not yet being discussed, such as a company’s criteria for materiality.
Preparing for a Cybersecurity Incident
With cybersecurity incidents becoming commonplace, companies and IROs must be prepared to respond from a communications perspective.
There is the operational aspect of being prepared: cybersecurity must be integrated into corporate governance, and a company must have a thorough understanding of its current cybersecurity infrastructure, including policies, risks, controls, and vulnerabilities.
Having an incident response plan in place is table stakes, and practicing with tabletop exercises is key to perfecting your response. IROs are critical players to implementing these plans and therefore must be “in the room” when a crisis response is being formulated and know what their specific roles and responsibilities are.
As is the case in many crisis situations, a well-planned and well-executed communications plan can enable an organization to protect its reputation in the face of disruptive events.
As with any crisis communications plan, an effective cybersecurity incident communications strategy includes a clearly defined communications playbook. That playbook should include the following four components:
- Understand the stakeholder universe. Who must be informed, and who should be informed? For the former, considerations include regulatory requirements and the potential for law enforcement support. For the latter, a strategic approach may be beneficial as there is an opportunity to provide appropriate levels of transparency – within legal guardrails – to build goodwill for the road ahead as the company works towards resolving and remediating the incident. Timing is a key consideration in this category as well. A company should know when it is required to report certain information, and when information should remain confidential until it is known with certainty.
- Establish a team of communications “first responders.” These are people who are pre-approved to act as spokespersons throughout the crisis. These individuals should have executive buy-in and be relevant to the key stakeholder audiences. It is critical that the IRO play a role here as the first line of defense with the investment community.
- Develop thoughtful and organized communications approval protocols. These will help minimize delays as the crisis evolves. Perceived delays may give the impression of an ill-prepared organization that lacks the ability to handle the heightened responsibilities of a crisis.
- Assemble a pre-defined task force. This group should have clear leadership and defined lines of responsibility. The task force must work efficiently to determine the materiality aspect of the incident with respect to SEC requirements as well as fulfill any reporting requirements of other regulators or government entities.
Board readiness is a topic for another article, but at the very least, determine if board members know the response plan and if they are up to date on the latest trends.
Responding to a Cybersecurity Incident
Should an incident occur, an effective response demonstrates that decisions can be made quickly, team members are working in lockstep, and strategies are executed seamlessly.
Expect a high volume of inbound questions, concerns, and demands from key stakeholders. It will be tempting to get ahead of the facts and provide reassurance to business partners, customers, and the investment community. It is critical, however, that communicators respond to inquiries in a timely and professional manner, but it is even more important to only use information that is currently known.
The Role of the IRO
Between SEC disclosure requirements and the very real potential of a cybersecurity incident, it is important for IROs to be involved in all aspects of cybersecurity preparedness, reporting, and incident response. IROs, with their unique skill set and perspective, have an important role to play, including the following:
Provide intelligence and feedback. Just as IROs are sources of information to the management team and board on how peers and the broader industry are communicating with investors, IR teams can provide similar insight on cybersecurity reporting, disclosures, and messaging. Knowing what peers are saying and what is evolving as industry best practice, coupled with direct investor feedback, are valuable perspectives from which teams across an enterprise can benefit.
Thoughtfully craft an investor offense. When preparing the cybersecurity incident response playbook, IROs will own the communications strategy aimed at the investment community. When crafting the strategy and messages, there should be a thoughtful approach to ensure that timely, truthful, and helpful information is provided to directly address concerns. Scenario planning can be helpful to create messages that can be used as needed and be updated as the situation evolves.
Advise colleagues on managing stakeholder expectations. IROs spend significant time managing stakeholder expectations. They are also skilled at doing so in a range of timeframes, from weeks to years. These communications skills can be useful to support colleagues who are not called upon to do this frequently, while ensuring that communications are aligned throughout planning for and responding to a cybersecurity incident.
Manage relationships with the investment community. This means serving as the main spokesperson to deliver key messages and information to the market. This also means serving as a gatekeeper to others within the company, since investors or analysts will likely want to speak with the chief information security officer or other executives on how the incident is impacting the company. IROs should work with their colleagues to determine whether to honor these requests, in what format to do so, and help their colleagues prepare.
Plan for a lengthy resolution. According to IBM, it took an average of 56 to 88 days in 2023 to resolve a cybersecurity breach. This means that communications teams and IROs need to plan to address the topic in their scheduled activities for at least a month or two. IROs should consider whether to address the topic proactively on earnings calls, or if proxy season is around the corner, whether the specific issue or cybersecurity in general will become a voting issue for investors. In addition, if the IRO is responsible for the company’s sustainability report, the sustainability report will need to be updated for consistency.
By drawing upon their existing skills and processes, IROs can make critical contributions to cybersecurity incident planning and response that can help protect value and save their companies from headlines they don’t want in the history books.
Related Expertise
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm. FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com |
