The passage of new cybersecurity regulations by the Securities and Exchange Commission this week has drawn a wide range of reactions, both positive and negative.
In general, the rule will mandate that entities that experience a cybersecurity incident determine whether it will have a material impact on them, and if it will, they must then fill out the new Item 1.05 on their Form 8-K within four days. The entity will need to describe the material aspects of the nature, scope and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.
Timothy Brown, a KPMG audit partner, felt positively about the rule's passage, saying it will promote transparency and stakeholder trust.
"Under the new regulations, cybersecurity incident disclosures will be more prominent and expansive. Registrants will have to provide consistent and informative disclosures about their cybersecurity risk management policies and procedures, providing greater transparency for investors, customers, and other stakeholders," said Brown in an email.
Kyle Kappel, KPMG 's practice leader for cybersecurity services, added that the new rule speaks to the growing responsibility of senior executives to protect against cyber threats, one that can no longer be ignored.
"With the SEC poised to finalize cyber reporting rules, senior executives have a growing responsibility to understand their company's strategy and programs for protecting against cyber threats. An organization's ability to comply with these new regulations is critical to maintaining transparency and stakeholder trust in today's volatile world. Our cyber professionals have been working with organizations across every industry to help them enhance their existing cyber strategies, governance structures, and cyber risk management practices — all in advance of setting up an operating model that ensures regulatory compliance and operational resilience," he said in an email.
In terms of what this means for companies, Amy Matsuo, who leads KPMG's regulatory insights and compliance transformation area, said that entities will need to pay much more attention to their cybersecurity practices now, and fast.
"The SEC cybersecurity disclosure rules, together with other proposed SEC cyber rules, focus on cyber hygiene, incident reporting and resilience, and try to take into account the interaction with investor and consumer protection, as well as national security. Organizations need to rapidly enhance their cyber risk management and governance," she said in an email.
Craig Burland, chief information security officer for cybersecurity solutions provider Inversion6, on the other hand, was less than enthused about the new rule. He said the new regulations raise expectations on public companies to a burdensome level, especially given what he said is a lack of specificity on what counts as an incident and whether or not it was material, which he said was a subjective determination.
"The SEC continues to ramp up expectations for publicly traded companies. The four-day disclosure, however, is not the kicker here. Companies have two subjective decisions before being forced to disclose. First, they have to determine the cyber event was an incident — data was lost, business was disrupted, etc. Finding sufficient evidence to prove loss takes time. Second, the impact has to be material. For large corporations, this is a high bar that very few incidents would eclipse," he said in an email.
He also expressed concern that another requirement — that companies annually disclose material information regarding their cybersecurity risk management, strategy, and governance — puts companies at risk for a cyber attack. He noted many do not really have a strategy or governance structure, and this is not something a company should necessarily advertise.
"Implicit in this decision is that companies have a cybersecurity risk strategy and perform cyber governance. All too often, that's not the case. A requirement to publicly disclose the practiced level of cyber-competence will open eyes and raise eyebrows across the country," he added.
Lou Steinberg, founder of cyber incubator and research lab CTM Insights, and former chief technology officer with TD Ameritrade, was a little more sanguine about the four-day rule.
"Much has been made about the short time to report incidents under this new rule. It's true that the rapid reporting times can create a 'fog of war' issue; companies often don't know enough detail at the start of an incident to thoughtfully report on what happened and what the impact will be. What's often missed is that the reporting requirement starts after a company has determined that the incident is material. Until you know enough to make an impact materiality assessment, the clock hasn't started," he said in an email.
He did concede, though, that making this materiality assessment does require management expertise in cybersecurity, and by extension expertise on the board to effectively govern cyber risk. Without that expertise, companies will be hard pressed to make a determination of materiality.
Meanwhile, Steve Soter, vice president at audit and risk management platform Workiva, said that the final rule is less stringent than the original proposal, but significantly raises the stakes for how companies assess materiality of non-financial information, such as cyber threats. As the SEC was already scrutinizing this area, he expressed concern that the rule will only add to such scrutiny.
"The rule doesn't specify the timeframe to determine whether a cybersecurity incident is material, but it has to be 'without unreasonable delay.' A potential implication is the SEC scrutinizing the timing of when an incident occurred and when it was ultimately disclosed. That will make the timing and documentation of how companies assess materiality incredibly important. SEC registrants will need to closely coordinate such analyses with their financial reporting, legal, IT, and risk teams," he said in an email.
He added that the requirement to disclose incidents involving not only their own technology, but the systems they use, such as third-party vendors, adding another factor for companies to consider in their procurement processes.
