A lot of content about the recent SEC rules around cyber security and cyber incidents is missing the mark, imo.
Companies already had the requirement to report any unscheduled material event, including cyber incidents that had a material impact, on an 8K report. Clorox would have been required to report the recent cyber incident that affected production because it had a material effect on revenue and profit.
An Item 1.05 Form 8K must be filed within four business days of determining an incident was material.
Guess how long public companies have to file an 8K after an unscheduled event is determined to be material? Yes, four days. And not four days after the incident occurred. Four days after the event is determined to be material.
The only “new” part of this is the specification of what details, at a minumum, must be disclosed, such as when the attack was discovered and whether any data was stolen, altered or accessed.
If you have read any quarterly (10Q) or annual (10K) SEC reports you will find them chock full of generic warnings of all the things that could go wrong. A careful reading can sometime uncover a gem, and usually the lawyers will coalesce around some language that conveys a warning of a category of risk accepted by the SEC.
I expect we will see boilerplate develop over the next two years around the possibility, even with the existing risk management and cybersecurity programs, of a cyber incident having a material impact.
Mr and Ms Shareholder, and regulating agency, we warned you that a cyber incident could affect production, damage equipment, affect product quality and cause other detrimental impact.
In most cases there will be little knowledge gained by reading the text on whether a possible future cyber incident is “reasonably likely to materially affect their business strategy, results of operation, or financial condition”. Companies will be highly incentivized to write it is possible because the downside of including it is minor, and the downside of not including it could be large.
There will likely be some SEC actions and fines until the boilerplate that warns of the possibility of a material cyber incident is developed.
The most consequential impact of the new SEC rules related to cyber risk are the requirements to describe their process “for the assessment, identification, and management of material risk from cyber threats.” Along with describing the board and management’s involvement in cyber risk management.
This also is highly likely to coalesce to lawyer generated text. The reason this boilerplate may be of value is it could include a standard or guideline set of security controls and related risk management process. If this is listed, there would be compliance risk on top of the cyber risk to not doing a credible job of following the referenced standard or guideline.
Based on past regulatory risk + situations in banking and elsewhere, a very broadly written standard/guideline is preferred by companies because it has a lesser list of ways to fail from a regulatory risk standpoint.
While my analysis finds the impact of the SEC rules to be a lot less than many breathless security authors are making of it, it is a good move by the SEC. It likely will have some second order effects on cyber insurance.