Norman Marks on Governance, Risk Management, and Internal Audit

A number of articles have been written (especially by the accounting firms and a few law firms) about the new SEC rules, but it is always useful to read what the SEC actually said. You can find the link in their press release.

The press release says:

The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.

The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The key word is material, which I highlighted above and will discuss shortly.

The Final Rule repeats and clarifies the above:

The Securities and Exchange Commission (“Commission”) is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents.  We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.

The Final Rule has a table on page 12 that summarizes the new requirements. (I am only showing the requirements for domestic filers. Those for foreign filers are very similar but separately stated.)

The requirements in the table are explained in more detail later in the SEC document.

“Material” is the key word, and the Final Rule repeats existing guidance when it says (again with my highlights):

The Commission affirmed in the Proposing Release that the materiality standard registrants should apply in evaluating whether a Form 8-K would be triggered under proposed Item 1.05 would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”) and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”).  That is, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

By the way, this is the same standard that should be applied in assessing materiality and the presence of a material weakness for SOX compliance.

Do the new rules change SOX compliance requirements? No. SOX is about the integrity of the financial statements filed with the SEC, and the new rules are for additional disclosures. They are not subject to the annual external audit, and are not included within the scope for Sarbanes-Oxley Section 404 (SOX) reporting.

Page 61 repeats in different language what is required when disclosing the organization’s cyber risk management program:

As adopted, 17 CFR 229.106(b)(1) (Regulation S-K “Item 106(b)(1)”) requires a description of “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.”

The enumerated elements that a registrant should address in its Item 106(b) disclosure, as applicable, are:

• Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
• Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

We have also revised the rule text to clarify that the above elements compose a non-exclusive list of disclosures; registrants should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.

Item 106(b)(2) requires a description of “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”

The SEC states:

The rule requires registrants to describe those processes insofar as they relate to material cybersecurity risks.

They also say:

Under Item 106(c)(1) as adopted, registrants must “[d]escribe the board’s oversight of risks from cybersecurity threats,” and, if applicable, “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks.”

Item 106(c)(2) directs registrants to consider disclosing the following as part of a description of management’s role in assessing and managing the registrant’s materialrisks from cybersecurity threats:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

While some may disagree, I like the SEC’s determination on whether board members should have specific cybersecurity expertise:

We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.

I am not an attorney, and organizations should consult one before interpreting the Final Rules and making the required disclosures.

Having said that, I would tackle the issue by making sure that we have determined what would be material to the organization.

To do that, we need to understand what would be material to the reasonable shareholder (or potential shareholder) in making an investment decision.

In general, they are interested in both the financial results for the current period and projected future results.

In other words, they are concerned with whether the organization will achieve its enterprise objectives, which should be consistent with financial and other guidance they have shared with investors.

We might use the measure typically adopted for SOX of 5% of pre-tax net income, but that may be too high. I advise consulting the investor relations function and senior executives to understand what they believe would be material to investors.

For example, a breach might cause a level of business disruption that prevents the company meeting the earnings projections shared with investors, even though the total cost including loss of revenue is less than 5% of that projection.

I am not persuaded that using a loss level to define “material” is realistic.

Every organization should consider its own specific facts and circumstances to define what would be a material breach.

As explained in my earlier post, Excellent Insights into Cyber Risk, the average cost of a breach is only $4.45 million. That is far less than 5% of pre-tax net income.

Some companies have suffered far larger losses, but those are far larger companies. As explained in Understanding the Business Risk that is Cyber:

According to PCH Technologies (an IT consulting firm) in their 2021 report:

1. Solarwinds, a company that makes business software, was compromised at some point in 2020. This was an advanced persistent threat (APT) that proved very hard to detect. In total, the company reported losses of $25 million to its investors.

Note: Solarwinds’ revenue in 2020 was $1.1 billion, so the losses were 2.27% of revenue.

2. Amazon was targeted with a DDOS[1] attack earlier… and it succeeded. They were only down for a little over an hour, but the total losses were somewhere in the neighborhood of $75 million.

Note: Amazon’s revenue in 2020 was $386 billion, so the loss was trivial by comparison.

3. In May of 2021, Brazilian meatpacking company JBS was the victim of a ransomware attack. The ransom alone was $4.4 million, and the loss of revenue might have been even greater.

Note: JBS’s 2020 revenue was $71 billion.

4. On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.

Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.

To repeat: Every organization should consider its own specific facts and circumstances to define what would be a material breach.

These days, some shareholders and potential investors are concerned with sustainability measures, so potential deviations from corporate targets might well be material.

I am troubled by the need to assess cyber risk separate from (i.e., not as one of many) other business risks. Cyber risk may be less than material when viewed in isolation, but management and the board need to understand the full range of business risks when considering whether they represent an unacceptable likelihood of achieving objectives. In other words, when they indicate that projected results (which have been shared with investors) are unlikely to be delivered. For example, when revenue projections rely on avoiding product quality issues as well as breaches caused by vulnerabilities in the new products, it’s the presence of multiple sources of risk that can lead to an assessment that those revenue targets may not be met.

While the SEC rules require that the organization disclose “Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes”, I don’t think that is sufficient. I would much prefer to see the SEC require a disclosed assessment of the processes for managing all sources of business risk, rather than limiting it to cyber.

Coming back to my theme…

If I were in charge of a project to ensure compliance with the new SEC rules, I would make sure that there is an adequate cyber risk assessment – and that is one that it is based on how a breach might have a material effect on the achievement of enterprise objectives. Everything flows from that determination.

That is the theme of my risk management writing, here and in my several books.

I welcome your thoughts, especially any insights on the impact of the SEC rules and how organizations should and are responding.

[1] Distributed Denial of Service attack