SEC cyber rules send execs scrambling as deadlines near

By Alexei Alexis for CFODive.com

• A little more than half of public company executives responding to a Deloitte poll said their organizations were already preparing to comply with Securities and Exchange Commission cybersecurity rules before they were finalized over the summer, leaving a sizeable gap as mandatory deadlines now fast approach.

• Fifty-three percent of respondents said their organizations had been planning for and anticipating the SEC regulations, which include a requirement that public companies disclose “material cybersecurity incidents” beginning Dec. 18. About one-quarter (26.1%) of the companies were not prepared for compliance, and 20.9% fell into the category of “don’t know” or “not applicable,” according to the survey results, which were highlighted in a recent press release.

• “I think once [the deadlines] get closer, you’re going to see a pretty sharp jump in terms of firms that are ready,” Daniel Soo, a principal in the cyber risk services infrastructure practice of Deloitte Risk & Financial Advisory, said in an interview. “But I think there’s this difficult part right now where companies are still trying to figure out this component of materiality.”

Cybersecurity has emerged as a top challenge for corporate executives across sectors, as the cost of cyberattacks and associated regulatory risks have surged.

The number of mentions of the words “cyber risk,” “cybersecurity” and “cyberattacks” by CEOs of large public companies jumped sixfold from 2017 to 2022, according to an Accenture study.

The SEC in March reached a $3 million settlement with software firm Blackbaud resolving charges that it made misleading disclosures about the scope of a 2020 ransomware investigation.

In late June, SolarWinds disclosed that its CFO and chief information security officer might be facing a civil enforcement action from the SEC over possible violations related to a 2020 cyberattack targeting the company’s Orion IT management platform.

Under the new SEC rules, public companies must disclose “material cybersecurity incidents” to the SEC on form 8-K within four days of determining that such a breach has occurred. In addition, they must annually describe on form 10-K their board of directors’ oversight of cybersecurity risks.

While the rules went into effect in September, the SEC has set compliance dates that are scheduled to come later. All covered entities other than smaller reporting businesses are required to comply with the new breach disclosure requirements starting on Dec. 18. Smaller reporting companies will be subject to these mandates as of June 5 of next year.

All companies must comply with the Form 10-K requirements beginning with annual reports for fiscal years ending on or after Dec. 15.

The commission adopted final rules in late July on a party-line 3-2 vote, after accepting public comments on a proposed package in 2022.

The four-day deadline for disclosing “material” cybersecurity incidents has been one of the most controversial aspects of the new rules.

“As written, the materiality of an incident can be broadly interpreted, a tactic that the SEC has taken in other rulemakings, and when combined with the requirement that a company must consider what is material to a reasonable investor, the SEC is lowering the bar of what is material,” House Homeland Security Committee Chairman Mark Green (R-Tenn.) and two other Republican lawmakers said in a Sept. 1 letter to SEC Chair Gary Gensler.

One of the trickiest parts of preparing for the rules is deciding how materiality determinations will be made and which stakeholders will be involved, according to Soo. 

“There’s a lot of stakeholders involved with” the process, he said, adding that CFOs in particular play a “pretty significant role” in areas such as defining what materiality means for the business as well as breach reporting.

Deloitte surveyed more than 1,300 C-suite and other executives from publicly traded organizations during a webcast on Aug. 22.