Source: RSM US LLP. PBMares is a member of RSM US Alliance.
The Securities and Exchange Commission (SEC) on July 26 released final cybersecurity rules requiring public companies to disclose details on material incidents as well as cybersecurity risk management, strategy, and governance information. While many larger public organizations likely already have processes and resources in place to meet these requirements, emerging and middle market public companies may need to make structural and cultural changes to enhance or adopt cybersecurity oversight, management, and reporting processes to comply with the final rules.
The new rules come in response to an unrelenting cybersecurity environment, with more complex and challenging threats on the horizon. For example, 20% of respondents in the 2023 RSM US Middle Market Business Index Cybersecurity Special Report claimed their company experienced a data breach in the last year, and our team has seen breach activity escalating in recent months. In addition, 68% of survey respondents anticipate unauthorized users will attempt to access data or systems this year.
With attack methods continuing to evolve amid the increasing use of emerging technologies, including artificial intelligence, investors need to understand how threats and incidents can influence a company’s value. And this can be promoted through more consistent and clear reporting.
“You don’t want to get in the habit of reporting material incidents. You need to implement preventative controls and identify incidents early. That could enable you to manage an incident more appropriately and mean the difference in materiality.”
Matt Franko, Princiapal, RSM US LLP
Determining materiality can be a challenge, as there is no specific guidance about what a quantifiable trigger is.
The impact on the company should be considered against quantitative and qualitative factors, including how a reasonable investor would view the incident.
Harm to a company’s reputation, customer or vendor relationships or competitiveness may be examples of material impact on the company, according to the final rules. The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities, may also constitute a reasonably likely material impact on the registrant.
The final rules describe information as material “if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision.” This is consistent with the standard set out in cases addressing materiality in securities laws.
Meeting the demands of these rules requires an effective incident response program and cybersecurity risk management capabilities. The program should include plans to respond to and determine the materiality of specific incidents and provide details for how to respond to specific scenarios such as ransomware. Detailed threat simulations, or tabletop exercises, can provide practice with the plan and familiarize individuals with their defined roles within the program. A security monitoring strategy can also leverage technology to consolidate alerts across the organization.
In addition, a managed security operations center can identify and escalate incidents to your security and SEC reporting teams in a timely manner.
The key to compliance
Compliance with the final SEC cybersecurity rules will require a differing level of effort, depending on the extent to which a company has developed its cybersecurity and risk management processes. While the challenge may seem daunting to companies without comprehensive cybersecurity capabilities and incident response programs in place, compliance is achievable.
Ultimately, creating a holistic and sustainable cybersecurity risk management program that involves clear, consistent reporting, as well as increased oversight and involvement from the board, can help your company stay in compliance with SEC guidelines and protect it against material risks that could threaten the company.
This article was written by Matt Franko and originally appeared on 2023-08-11.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.