“Fifty percent of treasury professionals report that cybersecurity risk (ransomware, phishing, etc.) is currently the most challenging risk to manage”, according to the 2023 Association for Financial Professionals (AFP) Risk Survey Report, supported by Marsh McLennan.
Source: 2023 AFP® Risk Survey Report
US and Canadian organizations face greater cybersecurity risks than global counterparts
Driving this opinion are 58 percent of treasury respondents from the US and Canada because organisations in these countries were “Subject to cyber risk more so than those in any other country/ region”, as per the 2023 Verizon Data Breach Investigations Report (DBIR).
Given the surge of cyberattacks in the US and to bolster cybersecurity transparency associated with public companies, including protecting investors from the downside risk and harm that a data breach can cause to such companies, Wall Street’s top regulator, the Securities and Exchange Commission (SEC) has recently adopted new rules for enhanced and standardised disclosure regarding cybersecurity risk management, strategy, and governance.
SEC’s new cybersecurity disclosure rules: important aspects
SEC’s new set of rules require registrants that include US publicly traded companies and foreign private investors, to disclose cybersecurity incidents they experience within four business days of determining that a cybersecurity incident is material. Registrants must also disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
The SEC deems a cybersecurity incident as material if it is likely to have a significant impact on the company’s business operations, financial position, reputation, or relationship with its customers.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them”, observed Gensler.
To that end, the new rules necessitate registrants to reveal on the “New Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant”, SEC noted in a press release announcing the new rules.
Additionally, companies are required to describe their processes for assessing, identifying, and managing material risks stemming from cybersecurity threats. This disclosure will also encompass the material effects or reasonably likely material effects of risks from such cybersecurity threats, as well as previous cybersecurity attack and data breach incidents.
Furthermore, the SEC press release stated that “Registrants are mandated to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant's annual report on Form 10-K.”
The SEC has ensured that the new rules are not limited to US companies. Foreign private issuers are required to make comparable disclosures on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
The new disclosure requirements come into effect in mid-December this year. According to the SEC, “The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.”
Treasury should play a vital role in determining which cybersecurity incidents are possibly material.
The new rules on cyber risk management and incident disclosure marks a dramatic shift towards greater accountability concerning an organization’s cyber risk management activities, placing the onus on companies to provide investors with consistent and timely information about how they manage their cyber threats.
To help companies ensure effective compliance, increased and efficient coordination among a range of senior decision-making executives will be critical in addressing complex cybersecurity material rule questions. These executives include treasurers, CFOs, CISOs, CTOs, CIOs, CEOs, general counsels, and board members.
Given the payment-centric nature of corporate cyber fraud and the treasurer thought of as the superintendent of payment security, it is crucial that treasury plays a vital role in helping arrive at strategic business decisions for the enterprise about which cybersecurity incidents are possibly material. Treasurers should also take the lead to educate interdepartmental staff on payments security and fraud prevention.
In conclusion, the SEC’s new cybersecurity risk management, strategy, governance, and incident disclosure rule signifies a fundamental change in how cybersecurity breaches are reported. These rules are also expected to close the gaps in cybersecurity defence and disclosure practices and provide investors more decision-useful information about the cybersecurity risks associated with publicly listed US companies.
Like this item? Get our Weekly Update newsletter. Subscribe today