Corporate executives and board members have been wrestling with waves of ransomware attacks and data breaches for years, and — for many — the technical elements of a security incident involving a company’s operational technology or information technology can be extraordinarily challenging to understand. To fuel the flame, beginning on December 18, 2023, public companies are now required to report a “material” cyber incident in a Form 8-K public disclosure within four days of determining that a cyber incident is “material.” The Form 8-K filing will require the company to disclose material aspects of the incident or series of related incidents (think nature, scope and timing) in addition to the material impact or reasonably likely material impacts of the incident on the company.
The Crucial Role of Your Security Executive in Disclosures
Financially minded executives and board members for public companies are well aware that “materiality” under the typical U.S. Securities and Exchange Commission’s disclosure structure is a nebulous concept. “Materiality” under the finalized cybersecurity disclosure rules is no exception. A company is required to review the facts and circumstances of a security incident holistically, and if the company perceives that it’s substantially likely that a reasonable investor would use this information to make an investment decision, or if the information substantially alters the total mix of information available about the company, then it’s “material” under the Cybersecurity Disclosure rule.
While a legal and financial determination drives the analysis, security executives play a vital role in the analysis by ensuring that the business understands the technical aspects of the incident, the impacts on the company’s IT and OT infrastructure and the downstream effects on the company’s business and operations.
The Benefits of a Trusted Partner
The SEC Cybersecurity Disclosure rule requires companies to disclose and publicly report the nature, scope and timing of the determined “material” incident, as well as the business impacts (actual and likely) of such an incident, inclusive of operational and financial impacts.
All of this information must be gathered quickly and accurately and be clearly articulated to the identified “materiality” decision-makers so the company can comply with the requirement to make a determination without unreasonable delay. The speed at which decisions must be made necessitates established internal processes, and security executives are in a prime position to ensure the relevant information is escalated.
This is where a trusted security partner can also help. If you work with a managed detection & response (MDR) vendor, their solutions and offerings can assist in documenting and communicating the nature, scope, and timing of the incident to help your company’s internal stakeholders determine the materiality of an incident. Ideally, your MDR partner will also have expert incident responders and threat researchers on staff who can assist with establishing proper response processes before an incident happens. In the event of an incident, they should also provide additional context and deeper insights specific to your situation to share with your security staff.
Paint a Full Picture of the Incident
Chief Information Security Officers and/or other security officers should have a seat at the table to ensure that the information being analyzed and escalated is clear, concise and sufficient to tell the incident’s story to your company’s “materiality” decision-makers. Without the CISO and the security team’s involvement, key pieces of information, which are imperative to paint the picture of the incident, allowing for an accurate understanding of the actual and likely business impacts, may be unusable technical jargon or be lost altogether.
To learn more about the potential financial impact of cyber threat on organizations, check out the Boardroom Cybersecurity 2023 Report.