In addition to new rulemaking and interpretive guidance on cybersecurity from the SEC, public companies are seeing their cybersecurity disclosures and assertions weighed directly by investors, ratings agencies, and insurance providers - not to mention prospective customers. Investors and analysts are capturing cybersecurity maturity alongside other Environmental, Social, and Governance (ESG) priorities, and agencies are performing algorithmic reviews of public filings to score companies on their attention to cybersecurity. Knowing the minimal requirements and opportunities for additional credit can turn cyber from a risk factor into a differentiator.
This article explores companies’ responsibility for disclosure and communication to shareholders and the investing public.
Cybersecurity governance assertions and disclosures begin with the 10-K. In addition to the more obvious Risk Factors section, SEC guidance and observed best-practice identify several specific areas to review.
The business description section of the 10K is an appropriate area for firms who experienced a high-profile cyber incident in the past to recap the event and resulting actions. Separately, companies that devote significant resources to cybersecurity and/or are subject to substantial and/or evolving cyber-specific regulations may communicate how those factors influence company culture and strategy broadly in this section.
10K: Risk Factors
The Risk Factors section of the 10K will address the most requirements around cyber disclosure. It is helpful to use Threat Objectives to structure risk management generally, and that same vocabulary can guide the discussion of Risk Factors. For example, if you have identified Intellectual Property Theft as a top Threat Objective, you might include a statement such as “We could suffer theft and disclosure of key intellectual property as the result of a cyber attack, significantly eroding our competitive advantage in…”. The key here - as in most Risk Factor disclosure - is to balance discussion of the past and future. While the general tone should be forward-looking, this is also the spot to highlight “near-misses” or aggregate data from the prior year. Building on our Intellectual Property Theft example, you might add “While we have not been the subject of such material incidents in the past, we regularly see phishing, network probing, DDoS, and similar events that are often connected to such attempts.”
10K: Management Discussion & Analysis (MD&A)
If your cybersecurity risks or incidents could reasonably produce a material impact on financial reporting, this is an area to address. For example, expected or potential increases in cybersecurity operational, legal, and/or insurance costs can be discussed here.
This is the place where security incident disclosures would appear. Similarly, if a significant cyber incident has occurred within your partner ecosystem, you may want to discuss the impact (if any) on your business in this section.
When to disclose incidents?
Your proxy statements are another important location to discuss cybersecurity, with a focus on governance composition.
Proxy: Director Qualifications, Skills, & Experience
As you describe the qualification of individual Directors, be sure to highlight past experience and current responsibilities regarding cyber oversight. Cyber qualifications do not need to be limited to more obvious experiences such as serving as a Chief Information Security Officer. It is likely that others have also participated in cyber risk management functions in their previous roles as CEO, CFO, GC, or other more traditional Director backgrounds . Match specific directors with their cyber operational and governance experience in a matrix alongside other qualifications such as audit/financial, technology, regulatory, or business-specific expertise. Resist the temptation to bundle cyber and technology together, and be sure to point out Director participation in the committee identified to oversee cyber risk.
Declare commitments to Director education and engagement on cyber. An example statement may be “In addition to program management updates provided to the Risk Committee quarterly, all full Board Directors are given the opportunity to participate in annual cybersecurity education sessions hosted by the Chief Information Security Officer and third-party experts.”
Proxy: Committee Composition
Identify the Board committee with responsibility for cyber oversight. In financial services, this migrated from the Audit Committee to the Risk Committee when the latter was required by the Dodd Frank Act. Outside financial services the Audit Committee remains a popular venue, though many firms have established Technology or Tech Risk Committees that include cyber. If you take this approach, be careful to avoid projecting the notion that cyber risk is limited to technology.
One trend gaining traction is to have a specific Cybersecurity Committee, which some firms may find removes the need for a Technology-specific committee outright.
Once you identify a Board Committee with responsibility for cyber oversight, you should memorialize that decision in the committee charter. The theme of the charter will be that the Committee assists the Board with it’s oversight of management’s responsibility. While the industry is only recently pivoting toward dedicated Cybersecurity Committees, cyber can be spelled out in the introductory paragraph outlining those management responsibilities for any chosen committee. Whether or not it is spelled out up front, cyber should absolutely be mentioned explicitly in the Responsibilities & Duties section or equivalent. Here cyber oversight responsibilities broadly should include getting reports on the firm’s cyber risk posture and any incidents.
What responsibilities and authority can be specified in the Charter?
While the word “breach” is heavily overused in cybersecurity generally, it enjoys a special meaning in a Risk Committee alongside the notion of risk appetite statements and red/amber/green (RAG) reporting. If you use these conventions in your oversight committee, continue them into cyber specifying that the committee is made aware of any breaches.
The committee should be made aware of any incidents exceeding a defined severity level. See the previous section on Cyber Incident Response Procedures for how Committee notification triggers can be woven into operational procedures.
Tip: rather than codifying a hard threshold that always requires immediate notification to the Committee, instead spell out a condition that requires a designated individual or group to convene and deliberate whether the Committee (starting with the Committee Chair) needs to be made aware.
The Committee may define a dotted-line relationship with a Chief Information Security Officer directly to help assert independence if the reporting line - especially to a CIO - may be set up for a potential conflict between assessors and the assessed.
Consider reserving the right for the Committee to engage third-party security testing up to and including “red team testing” right in the Charter. While it is customary to note a committee's right to engage financial audit and risk reviews generally, the most sophisticated programs may conduct unannounced testing to gain maximum assurance over controls and procedures. Authorizing this at the Board Committee level allows even the CISO to be within the testing targets.
Incident Governance and Insider Trading
While Incident Management is an operational matter, there are governance touchpoints that should be considered and codified into your escalation procedures to demonstrate compliance with regulations and guidelines. The SEC is clear about knowledge of a significant cybersecurity constituting material non-public information (MNPI). This means that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of (such) information”(2). The key bit to consider in advance, however, is memorializing awareness of and commitment to those principles before an incident occurs. While a cyber incident response team is not the appropriate place to make trading restriction decisions and the office of the General Counsel does not need to be involved in cybersecurity operations, you can codify a step in your Cybersecurity Incident Response Procedures to escalate potential incidents for review. First, review your severity ratings so that materiality criteria are some of the factors that force an incident into a higher rating. Second, specify notification of legal and compliance teams immediately when incidents are escalated to a specific level. Finally, clearly assign which personnel are responsible and authorized for declaring incident severity levels. This same process is useful in highly regulated organizations with notification requirements and for incidents that may trigger increasingly prevalent global privacy laws and notification requirements therein. For a practical example, your Procedures may state that an incident rises to Severity 2 if strictly confidential data is disclosed or any operational availability is impacted. Your escalation procedures may automatically email a distribution list including the General Counsel and Chief Compliance Officer when incidents are raised to this level, and they can ask the questions needed to determine if a trading restriction or external notification is required. Often more importantly, they may memorialize the decision to not take one of those actions, which will demonstrate this control and operational rigor during audit and review.
Cybersecurity governance has advancing implications for any public company. With regulators, customers, investors, and ratings agencies paying close attention, it’s critical to review your corporate governance documents not just for compliance, but for opportunities to leverage your cybersecurity investments and differentiate your firm.