4 “Hacks” To Handle Hacking Risks – Actioning The SEC’s Proposed Cybersecurity Disclosure Rules
If thieves broke into a major warehouse and took millions of dollars in merchandise, the lack of security and planning that would allow such an incident to occur would likely be a board-level topic. So, with much more potentially on the line online, it shouldn’t be a surprise that the SEC—and investors—are looking more closely at companies’ cybersecurity practices.
While there is a lot of gnashing of teeth regarding the SEC’s forthcoming cybersecurity disclosure rules, expected to be in effect by 1Q 2023 at the latest, the reality is that having a plan for protecting digital information and responding to cybersecurity issues is just good business sense.
And your investors want to know what that plan is.
If a cybersecurity incident is material, be ready to share the details fast
The new rule requires companies to disclose the details of a material cybersecurity incident in an 8-K filing within four days of deciding that the incident is, in fact, material. The disclosure will need to cover:
- When the incident was discovered
- If the incident is ongoing
- The nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
- The effect of the incident on the company’s operations
- Whether the company has remediated or is currently remediating the incident
While few companies are in the habit of making cybersecurity incidents—and their response to them—known immediately, it’s not an unheard-of practice
Investors in Hanesbrands Inc. learned about a cybersecurity incident affecting the company when Hanes completed this 8-K filing in May. In this case, the disclosure specifically states that “the Company cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results.”
Turns out, it did, ultimately resulting in an estimated $100 million reduction in net sales and a $35 million hit to adjusted operating profit. After the initial disclosure, Hanes remained largely silent on the issue for months while calculating this material impact. Then management opened the Q3 earnings call with this:
“Adding to these macro headwinds was the unexpected impact from the previously disclosed cyber event, which disrupted our global operations in late May. As a result, our second quarter performance was below our expectations. While profit margins were in line with our forecast, sales and profits were below our guidance. And we ended the quarter with more inventory than planned, which is creating a near-term drag on cash flow.”
Now, the challenge will be assessing the impact in real-time
Under the proposed rules, organizations won’t have much time when it comes to determining the potential materiality of an incident or breach. Further complicating the situation, the SEC’s definition of “incident” is quite complex. Cybersecurity incident means “an unauthorized occurrence on or conducted through a company’s information systems that jeopardize the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.” In our read, this clearly includes anything third parties could have that could affect your cybersecurity.
In any case, companies can’t afford to be caught off guard if and when a cybersecurity breach occurs. Being prepared to respond quickly will be the key to compliance as well as to managing investor perception of the impact.
Prepare by taking these four steps
1. Have a team at the ready. Currently, most companies don’t have a group outside of IT that participates in accessing cybersecurity incidents and their impact on the business. Since we can’t expect the IT group to be experts at knowing what constitutes a material risk to the enterprise (versus IT protocols and systems), you need to bring in people who are authorities. And these people need to be prepared to consider the issues on a real-time basis.
Just like you have a go-to team for assessing potential Reg FD violations, you’ll now need an emergency response team to assess cybersecurity incidents and disclosures. The core group should include the IRO and CFO as the experts in materiality as well as the CISO and the head of IT to weigh in on the fulsomeness of any breaches. Bring the GC along for a legal perspective to round out your cybersecurity task force, and you’ll have the right people at the table to quickly size up the impact of incidents and craft the required public disclosures.
Some organizations already have a jump on putting such a task force together. For example, in its proxy statement, Capital One discusses its Technology and Cyber Risk committee, which is a management-level committee responsible for regularly discussing cyber and technology risks and escalating matters to the board’s Risk Committee as appropriate. Additionally, the statement outlines the roles of the CISO and the Chief Technology Risk Officer in keeping the Risk Committee updated on the company’s cyber risk profile.
Capital One 2022 Proxy
Source: Capital One Proxy Statement, Page 34
2. Lay the ground rules. The cybersecurity task force should collaborate on standards and conventions for its work. To start, the team should determine how well cybersecurity has been integrated alongside other enterprise risks and if there are any gaps that need to be closed.
Additionally, the team should define the following:
- What triggers will call this task force together?
- What protocol will the group follow when it assembles to address an incident?
- When and how will cybersecurity incidents be escalated to the board?
3. Flesh out the board’s role in assessing cybersecurity risk. In addition to requiring rapid disclosure of cybersecurity incidents, the proposed rule requires companies to disclose their cybersecurity risk management, strategy, and governance policies and procedures including oversight by the board, processes by which directors or committees are informed about incidents, and how the board monitors the prevention, mitigation, detection, and remediation of cybersecurity events. If your board has a named cyber expert, involve this director in defining the board’s responsibilities and when, how, and at what level the board should be briefed.
The charter for the General Motors Risk and Cybersecurity Committee does a good job of outlining how the management team and the board work collaboratively to ensure cybersecurity best practices. In describing responsibilities, the charter lays out the duties of the company’s management team, its “Designated Executives,” the committee, and the full board including how reports are information are shared along this chain of command.
General Motors Risk and Cybersecurity Committee Charter
Source: General Motors Risk and Cybersecurity Committee Charter, Page 2
4. Update your 10-K disclosures. If your company is upping its cybersecurity game, be sure to discuss your efforts in the risk section of the 10-K. Specifically disclose if you have created a cybersecurity task force or committee. Include the details on this group such as who is involved, how often it meets, and protocols for assessing breaches and escalating issues to the board level.
It’s not a matter of “if,” it’s “when”
As the majority of cybersecurity breaches continue to make headlines and hackers get more sophisticated every day, no company is completely immune to an attack. As the Hanes example shows, the implications can be significant and absolutely material. Showing investors that you are taking a proactive approach to cybersecurity defense, risk mitigation, and disclosure will build confidence in your company’s ability to respond as well as your commitment to keeping investors informed along the way. Since new rules will soon make this mandatory, best to lean in now and give cybersecurity the executive and board-level attention it deserves. If you’d like help setting up your cybersecurity task force to ensure they support your overall ESG objectives, give us a call.