The cybersecurity panel at the Conference on Monday afternoon noted that as the use of digital technology expands, the ‘attack surface’ also increases. The panel discussed several governance issues and best practices companies should consider to address the risks associated with the widening attack surface.
These issues are particularly relevant today, given the following statistics from the KPMG 2022 CEO Outlook:
- 44% of US CEOs said their organizations are underprepared for a potential cyber attack; and
- 81% said that geopolitical uncertainty is raising concerns for a cyber attack in their organization.
Read more on these risks here.
“The increasing threat of cyber attacks can result in substantial risks to companies and their internal control over financial reporting. The SEC’s proposed rule on cybersecurity disclosures reflects the importance of providing investors an understanding of how companies are managing that risk and timely and transparent disclosures of cyber attacks.”
— Rob Werling, KPMG Partner
Disclosure, disclosure, disclosure
In keeping with the SEC’s theme of investor-focused disclosure of decision-useful information, the panel discussed disclosure issues around cybersecurity. At issue is not only disclosure of cyber attacks, but also disclosure of policies and procedures to identify and manage cybersecurity risks. They focused on disclosures that enable investors to ‘price for risk’ by having adequate information to make informed investing decisions.
Disclosure of cyber attacks
Panelists mentioned the historically low number of disclosures regarding cyber attacks, and suggested this may be due to how registrants apply materiality to cyber attacks.
In this regard, David Hirsch (SEC Enforcement Division) reminded the audience that materiality is based on both a quantitative and qualitative assessment. From a qualitative perspective, the SEC would expect registrants to look at the importance of events that might be considered quantitatively immaterial. He used the example of the hacking of the CEO’s computer potentially meeting the materiality threshold from a qualitative perspective even though it was the only company computer hacked.
Disclosure of material events – like a cyber attack – is required under current SEC rules, but the SEC’s proposed cybersecurity disclosure rule would introduce disclosure requirements specific to cyber attacks. In particular, it would require disclosing a material attack on a Form 8-K within four days of determining the attack was material. Read more about the SEC’s proposal here.
Hirsch also noted that the enhanced rulemaking and the use of enforcement where appropriate reflects the SEC’s perspective that registrants should craft disclosures that balance investors’ need for information with the registrant’s need to protect itself from further cyber vulnerabilities.
Disclosure of cybersecurity policies and procedures
A key component of the SEC’s proposed cybersecurity disclosure rule is the disclosure of a registrant’s policies and procedures regarding cybersecurity. Although the panel did not spend time discussing these particular proposals, it did discuss many of the hallmarks of strong cybersecurity risk policies and procedures.
Pete Cordero (cybersecurity consultant) provided several suggestions on how registrants – and other companies – can better protect themselves from cyber attacks and be better prepared if such attacks should occur. Some highlights were:
- obtain cyber expertise at the board or upper management level;
- trust but verify the information reported by the Chief Information Officer function and by third-party cyber service providers;
- routinely review the company’s cybersecurity function;
- provide cyber awareness training to leaders in the company;
- ensure that cyber professionals are receiving continuing education; and
- consider engaging an external auditor to perform a SOC for Cybersecurity engagement.
Expect cybersecurity to continue to be discussed by the SEC because cybersecurity is a critical component of every company’s risk management program. In fact, Cordero noted that the average cost of a cyber attack is $9.5 million, with some attacks costing companies billions of dollars. Hirsch concluded that investors need to be kept apprised of these risks.