How Should an Organization Respond to a Cybersecurity Incident?
Once a security breach has been identified, companies should respond quickly to secure the impacted systems and fix any vulnerabilities while ensuring there are no other attacks in progress or vulnerabilities that could be exploited.
The Federal Trade Commission (FTC) outlines steps companies should take to respond to an incident in their online guide.
Once an incident has been deemed material, it must be reported within four days. The front-line IT team, officers, directors, and anyone else aware of a cybersecurity incident should report it prior to the offer and sale of securities.
This is to help those trading around the time the incident was discovered avoid an insider trading charge.
Who Should Be Told?
The front-line IT team should inform people in senior management responsible for deciding whether to make a public disclosure.
This could include members of the board and audit committee, the CEO, CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).
What Should Be Included in an SEC Cybersecurity Incident Disclosure?
Management should evaluate the significance associated with cyber-risks and incidents in their disclosures.
Cybersecurity disclosures should describe the following:
- The company’s judgements about materiality
- What senior management and the board knew and when they knew it
- How materiality was assessed in light of relevant facts
- Circumstances of the incident(s), including prior breaches
What Are Standard Practices for Keeping Accurate Cybersecurity Disclosure Controls and Procedures?
Do your organization’s policies, procedures, and controls give senior management the information they need to assess materiality and disclosure implications, including remediation?
The SEC recommends that companies annually assess compliance with cybersecurity disclosure controls as part of the SOX 404(a) assessment.
Management should consider the following best practices:
- Assess whether your IT general controls (ITGC) address the risk of failure to make necessary changes to programs or systems
- Ensure that relevant information about cybersecurity risks is processed and reported up the corporate ladder so senior management can make disclosure decisions and certifications
- Confirm its IT risk assessment identifies cybersecurity risks and inventories the company’s sensitive data
- Describe the board’s oversight role with respect to cybersecurity risk management and assess its cyber expertise
- Annually train the front-line IT team to understand materiality and communicate with the CEO, CFO, and board to avoid insider trading issues and inaccurate disclosures
SEC Final Rules
New Item 1.05 of Form 8-K
Registrants will be required to disclose on this item any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.
An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.
The disclosure may be delayed if the US attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the commission of such determination in writing.
New Regulation S-K Item 106
This will require registrants to describe annually any processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.
Applicability to Foreign Private Issuers
The rules require comparable disclosures by FPIs on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Effective Dates
The final rules will become effective September 5, 2023. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosure requirements will be applicable beginning December 18, 2023. Smaller reporting companies will have an additional 180 days, until June 15, 2024, before they must begin providing the Form 8-K disclosure.
The Role of an Internal or External Auditor
The auditor focuses on the IT risks impacting financial reporting. They assess the ITGCs design and operating effectiveness to ensure the effective operation of automated controls, and completeness and accuracy of key reports or information provided by the entity (IPE).
A cybersecurity incident could happen without being identified or disclosed to the audit engagement team. The auditor should assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should consider the effect of the breach on the company’s operations, and potential financial implications.
The auditor should assess whether the incident resulted from a deficiency in internal controls over financial reporting (ICFR), such as excessive user access, deficient change management controls, or an unpatched system, and whether remediation of any control breakdown has taken place.
The auditor should revise the risk assessment and document the relevant considerations of the cybersecurity incident on the audit.
The auditor should discuss with management and the audit committee the nature and type of disclosures the company is considering in its financial statements or notes to those statements. The auditor should also ensure the audit committee was adequately informed as soon as practical.
We’re Here to Help
For guidance on cybersecurity disclosure controls and procedures or SEC cybersecurity requirements, contact your Moss Adams professional.
Additional Resources