Dive Brief:

• Corporate finance chiefs play a less active role compared with information technology leaders when it comes to key aspects of complying with new cybersecurity rules from the Securities and Exchange Commission, according to a recent survey by AuditBoard, a cloud-based risk management company.

• Among other provisions, the rules require a public company to disclose a material cybersecurity incident to the SEC within four days of determining that it is a material breach. The AuditBoard study found that 75% of chief information security officers are involved in the SEC’s cybersecurity breach disclosure process, compared with 45% of CFOs.

• “If you’re making decisions about materiality without incorporating the perspective or the viewpoint of the CFO’s office, the likelihood of mistakes goes up,” Richard Marcus, head of information security at AuditBoard, said in an interview.

Dive Insight:

Under the SEC rules, companies must determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination.”

The disclosure must describe the material aspects of the nature, scope and timing of the incident, as well as its “material impact or reasonably likely material impact,” including from a financial perspective.

“The CISO may look at a security event from the perspective of the risk that it presents to the organization, but since they’re not really responsible for profit and loss generally, asking them to make a determination around the financial impact of an incident is going to be sort of one-sided,” Marcus said. “So, the CFO’s office can kind of help counterbalance that call.”

The AuditBoard’s research reveals that many public companies continue to wrestle with how to comply with the SEC rules, amid warnings from agency watchers that aggressive enforcement could be on the horizon.  

One-third of public companies are still in the preliminary stages of implementing the rules, according to the report. And while the vast majority of respondents — 4 in 5 — expect the rules to have a significant impact on their business, only half said they felt highly confident in their compliance readiness.

“For a lot of organizations, including large ones, this has been a bit of a sea change,” Scott Kimpel, a partner at Hunton Andrews Kurth, said in an interview. “I think what’s challenging is that you’re having to bridge a number of different areas within an organization. Cybersecurity personnel aren’t used to making SEC disclosures. On the flip side, financial reporting personnel aren’t typically information security experts.”

Besides the breach reporting mandates, the rules require companies to annually describe on form 10-K their board of directors’ oversight of cybersecurity risks.

While the rules went into effect in September, enforcement didn’t begin immediately.

As of Dec. 18, all covered entities other than smaller reporting businesses were required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5. All companies must comply with these requirements beginning with annual reports for fiscal years ending on or after Dec. 15.

Already, major companies have made incident disclosures with the SEC since the agency began enforcing the rule, including Microsoft, Hewlett Packard Enterprise, UnitedHealth Group and Prudential Financial.

The rules, which build on prior agency guidance, substantially raise the stakes for public companies and their executives, including CFOs, analysts say.

The SEC last October sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. The company has denied the charges.

“This is definitely an area where executives need to pay attention,” Kimpel said. “It’s not just limited to the CISO.”