Be ready to comply with the SEC’s new cybersecurity regs

The SEC’s new cybersecurity regulations went into effect last week. Most companies are “largely ready” to comply, Matt Gorham, senior managing director and leader of PwC’s Cyber & Privacy Innovation Institute, told CFO Brew, “but that doesn’t mean there isn’t work to do.”

As their companies’ finance leaders, CFOs are instrumental in determining whether a cybersecurity incident is material, but they have other roles to play as well. Gorham shared his advice for how CFOs can help their organizations comply with the new regs.

In a nutshell: As a reminder, the regulations consist of what Gorham refers to as three “buckets.” Companies that file with the SEC are required to:

• Declare any material cybersecurity incidents to the SEC on Item 1.05 of Form 8-K within four business days of determining materiality
• Disclose information about their cyber risk management and strategy on a new section of the 10-K called Item 1C
• Disclose information about their boards’ and management’s role in overseeing cybersecurity risk

The first two “buckets,” Gorham said, will likely require the most work to comply with.

Have a team and a process in place for determining materiality: That team should include the CFO, general counsel, and the CISO or CIO, Gorham said. The CFO will likely handle the quantitative aspects of an incident’s material, he said, but other personnel can provide input on other impacts, such as customer and vendor relationships, reputation, and potential litigation.

“Bake” materiality into your procedures: Review your incident escalation procedures and make sure their “material considerations” are “baked in,” Gorham said.

“Incident responders don’t generally think in terms of materiality, and folks that wrestle with materiality don’t generally think in terms of the incident response process,” he said, so he stressed the importance of coordinating to ensure that the team making the materiality determination gets the information it needs.

Ensure incident reporting captures repeated incidents: The SEC regulations state that companies now need to disclose repeated cybersecurity incidents if their total impact is material. The first time a bad actor attacks a company it may not be material, Gorham said, but if the same bad actor attacks again and the cumulative impact of the incidents is material, then that company would need to “re-escalate both of those so they can be considered in an aggregate fashion.” Companies need to make sure they have good procedures in place for tracking incidents, he said.

Make sure you can respond within the four-day timeline. Companies must report to the SEC within four business days of determining an incident’s material, and not within four days of the incident’s occurrence. It can take “days, weeks, a month” to make that determination, Gorham said, but four days is nevertheless a “condensed time frame.” Review your processes to ensure you can capture the “nature, scope, time, and material impact of an incident in disclosure language and have it all approved” in that time, he recommended.

Conduct a tabletop exercise in compliance. Companies can also test their response to a fictional cybersecurity incident to identify any gaps in their processes. Such exercises can help them “shrink the decision process and give themselves more agility” in the event of an attack, Gorham said. That way, they won’t be “trying to figure it out the first time in the middle of an incident,” he added.