Material Event Disclosure Standards

The U.S. Securities and Exchange Commission (SEC) voted on July 26, 2023, mandating public companies to promptly inform investors about significant cybersecurity breaches. They will have to report within four days of acknowledging a material cybersecurity event via Form 8-K disclosures. The regulation aims to mitigate situations where investors learn about significant cyberattacks through the media before the companies disclose them. The SEC has adjusted the requirements in response to comments on the proposal. For instance, if the U.S. Attorney General identifies that an immediate disclosure would present a considerable risk to national security or public safety, companies will be allowed a reasonable delay in filing material cybersecurity breach on Form 8-K. Despite modifications, SEC Commissioners Hester Peirce and Mark Uyeda, who voted against the rules, argue that the changes still do not sufficiently address several concerns. They pointed to potential disclosures that could serve as a roadmap for malicious actors planning future attacks. The new rule also compels companies to disclose significant information about their cybersecurity risk management, strategy, and governance. Despite criticism, the majority of the commission contends that the benefits of the rules surpass the costs. The rules mandate companies to describe the material aspects of the breach's nature, scope, and timing, and its material impact on the company when filing Form 8-K on a significant cybersecurity incident. Companies must also explain their processes for identifying and managing material risks from cybersecurity threats and disclose the material effects or anticipated material effects of risks from cybersecurity threats and previous cybersecurity incidents. The Bank Policy Institute (BPI) criticizes the rule, stating that it could harm investors and amplify security risks. They noted that companies are required to notify investors even when a cybersecurity breach is ongoing, potentially exposing vulnerabilities at other companies or sectors. Nevertheless, experts emphasize that companies need to prepare for the implementation of these rules. The new regulations pose challenges, particularly in determining what constitutes "without unreasonable delay" during a materiality analysis of an ongoing cyber incident. The new regulations are scheduled to take effect 30 days after publication in the Federal Register, and comparable disclosures will be required by foreign private issuers. Compliance dates are set for mid-December. Smaller reporting companies have an extra 180 days to start complying for Form 8-K disclosure. All companies must tag disclosures required in the final rules using Inline eXtensible Business Reporting Language (XBRL) starting one year after initial compliance.

Does a global cyber outage qualify as a "material cybersecurity incident"? This is the question hundreds of companies are grappling with this week. Under the SEC cyber rule, public companies are required to promptly disclose material cybersecurity incidents under Item 1.05 of Form 8-K. If the company is unsure whether the incident is material, the SEC released guidance that those incidents should be reported under Item 8.01. But what is a "material cybersecurity incident"? "Material" - Limits the information required to be furnished to those matters about which an average prudent investor ought reasonably to be informed before purchasing a security. "Cybersecurity Incident" -  An unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.  Late last week, CrowdStrike released a faulty driver update for its flagship Endpoint Detection and Response tool, Falcon. Drivers operate at the kernel level of a computer, a critical and highly controlled part of the system. Typically, software avoids running in the kernel to prevent system crashes that can lead to data corruption. This corruption impacted any Windows 10 machine running Falcon-roughly 9 million devices. However, since these were mainly enterprise machines, the crashes occurred at airports, banks, healthcare facilities, government agencies, and other locations, resulting in an extensively publicized outage. Over the past 5 days, CrowdStrike's stock value plunged more than 25% as a direct result of this event. On Monday, CrowdStrike filed a Form 8-K under Item 8.01 and not Item 1.05-indicating they had not determined this to be a "material cybersecurity incident." How could that be? The answer is in the definition. This is certainly a "material" event, as evidenced by the more than 25% drop in stock value. But is it a "cybersecurity incident"? The SEC's definition turns on an "unauthorized occurrence." While a threat actor need not be involved, the occurrence itself must be unauthorized-a fire at a datacenter, for instance, could qualify. CrowdStrike's update, though faulty, was authorized. As such, it may not fall within the ambit of the SEC rule. Erring on the side of transparency, CrowdStrike reported this incident through the most legally sufficient vehicle available - Item 8.01. What does this mean for CrowdStrike's public customers impacted by this event? Other companies should consider a range of factors when assessing whether this incident materially impacted them, such as: -Reputational harm -Remediation costs -Legal risks -Lost revenues -Insurance Importantly, these should also be placed in the context of a global cyber outage - e.g., what is the reputational damage to single company amongst thousands impacted? This will be unique to each company --

BIG NEWS! At today's open meeting of the SEC, the SEC Commissioners voted to adopt the SEC's proposed cybersecurity rules on a split three to two vote. While we have yet to see the written rules, here are my initial takeaways from today's meeting:   1. DISCLOSURE TIMING: The SEC emphasized that the disclosure requirement would be four business days from the time that a breach is determined to be "material"--not four days from learning of the breach. The SEC recognized that the determination that an incident is "material" may take some time, in part, because the Company may lack sufficient information to make the materiality determination at the outset. 2. DISCLOSURE CONTENT: The new rule apparently "streamlines" specifically what registrants must disclose about an incident. Now registrants would be required to disclose the material aspects of the nature, scope, and timing of the incident, as well as the incident's material impact or reasonably likely material impact.   3. DELAYED DISCLOSURE: The SEC has implemented a new process for registrants to delay disclosure of material incidents. If the U.S. Attorney General (the AG) determines that disclosure poses a substantial risk to national security or public safety and notifies the SEC of such a determination, the AG would be able to trigger a disclosure delay for an initial period of up to 30 days, followed by a 30-day extension, and a final extension of up to 60 days. The SEC would also consider additional disclosure delays, as requested by the AG. The SEC has apparently worked with AG to set up an interagency communication channel to support rapid extensions. While the SEC didn't mention it, this provision would give registrants an additional incentive to contact the FBI or DOJ soon after learning of an incident.   4. MATERIALITY: The SEC seems to have softened its requirement that registrants disclose immaterial incidents that are nonetheless material in the aggregate. Now the otherwise immaterial incidents must be "related" to each other to require reporting, such as attacks by the same cyber actor, or by exploiting the same vulnerability.     5. BOARD EXPERTISE: While the original proposal would have required registrants to identify any member of the board of directors who has cybersecurity experience and describe such expertise, the updated rules do not contain any such board expertise and disclosure requirements. Instead, the rules require disclosure of the relevant expertise of any members of management or committees that are responsible for assessing and managing registrants' material cyber risks.    6. EFFECTIVE DATE: It sounded like most registrants would be required to file annual reports in compliance with the new rule beginning Dec 15, 2023, with certain smaller organizations filing reports beginning June 15, 2024. The new incident disclosure requirements would go into effect for material incidents occurring after December 18, 2023.  

Well, it's now official. The U.S. Securities and Exchange Commission (SEC) just put out this press release. SEC registrants (any company that files documents with the SEC) must: 1) Disclose any #cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. This is due four business days after it is determined that a cybersecurity incident is material. 2) Describe their processes, if any, for assessing, identifying, and managing material #risks from cybersecurity threats, as well as reasonably likely material effects of risks from cybersecurity #threats and previous cybersecurity incidents. 3) Describe the #board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The 2nd and 3rd disclosures will be required in a registrant's annual report, due beginning with fiscal years ending on or after December 15, 2023.

SEC adopts disclosure requirements for cybersecurity incidents and risk management and governance...What you need to know: *The SEC adopted rules requiring registrants to disclose information about a material cybersecurity incident on Form 8-K within four business days of determining that the incident is material, with a delay only when the US Attorney General concludes that disclosure would pose a substantial risk to national security or public safety. *The rules require registrants to describe the processes they use to assess, identify and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing such risks. *The rules apply to nearly all registrants that file periodic reports with the SEC, including smaller reporting companies and foreign private issuers. *Calendar-year registrants must provide the risk management, strategy and governance disclosures in their 2023 annual reports. Most registrants must comply with the incident disclosure requirements on the later of 90 days after publication in the Federal Register or 18 December 2023. #ey #cyberriskmanagement #cybersecurity #sec #governance

The Future of Sustainability Reporting: Master IFRS S1 and S2 Today! 🌏☘️ The International Sustainability Standards Board (ISSB) issued its first two sustainability reporting standards on 26 June 2023: IFRS S1 and IFRS S2. These standards aim to transform sustainability reporting by providing a strong framework for businesses to disclose their environmental, social, and governance (ESG) impacts. Here's what you should know: 🔰Summarized: General Requirements for Disclosure of Sustainability-related Financial Information (IFRS S1): The core framework for the disclosure of material information about sustainability-related risks and opportunities across an entity’s value chain. Climate-related Disclosures (IFRS S2): The first thematic standard issued that sets out requirements for entities to disclose information about climate-related risks and opportunities. 🌐Detailed: 💎IFRS S1: General Requirements for Sustainability Disclosures. Lays the groundwork for comprehensive sustainability reporting by outlining the broad standards for sustainability-related disclosures. This standard highlights the value of transparency and consistency, ensuring that stakeholders receive clear, comparable, and reliable information. Key points: ✍️Holistic Approach: Considers all sustainability-related risks and opportunities that may affect a company's financial performance. ✍️Materiality: Emphasizes the sustainability information that is important to investors' decision making. ✍️Integrated reporting: combines financial and sustainability data to provide a comprehensive view of a company's performance. 💎IFRS S2: Climate-related Disclosures IFRS S2 focuses on climate-related disclosures, acknowledging the urgent need for uniform reporting on climate impacts. This standard is consistent with the recommendations of the FSB Task Force on Climate-related Financial Disclosures (TCFD) and includes: ✍️Risk Management: Companies must disclose how they identify, assess, and manage climate-related risks. ✍️Metrics and Targets: Requires the reporting of precise metrics and targets for greenhouse gas emissions, climate resilience, and transition plans. ✍️Scenario Analysis: Promotes the use of scenario analysis to better understand the potential financial consequences of climate change under various future conditions. 🤷♂️Why adopt? Companies that embrace IFRS S1 and S2 can improve their sustainability reporting, giving investors and stakeholders with critical insights into their long-term value creation and resilience. These norms not only encourage more responsibility, but also help to transition to a more sustainable global economy. Looking forward to seeing more sustainability reports released. At PwC Kenya, we're happy to help! 💼 #Sustainability #IFRS #ClimateChange #ESG #SustainabilityReporting #IFRSS1 #IFRSS2 #CapitalMarkets #SustainableFinance

Those New SEC Cyber Incident Reporting Requirements Earlier this week, the SEC adopted its new reporting and disclosure requirements, and I've had an opportunity to think more about materiality and the ability of a company to put a price tag on an incident. The new requirement mandates companies to report any cybersecurity incident within four days of identifying its materiality. The timing here is important, as it doesn't come into effect from the occurrence of the breach but when a company's legal team classifies it as material. - The timeline allows for potential delays in reporting incidents, provided the company obtains written approval from the U.S. Attorney General under special circumstances related to public safety or national security. - A noticeable extension from the initial 48 hours proposed in March indicates potential resistance from corporations and industry groups. - An additional mandate requires companies to disclose how they manage cyber risks and the level of cybersecurity expertise within their boards and managers in a yearly filing. A recent report from IANS indicated a significant gap in expertise, with 90% of public companies lacking a qualified cyber expert on their board. While these rules introduce new challenges, particularly for smaller firms with limited resources, they are expected to become effective for U.S. companies 30 days after publication in the Federal Register. Foreign companies and smaller reporting firms receive 90 and 180 days, respectively. On a promising note, an official from Moody's Investors Service labelled this decision as credit positive. It is anticipated that increased disclosure could promote improvements in cyber controls and allow companies to compare practices. The new requirements will require continuous compliance, underscoring the need for firms to improve their approach to cyber risk management. It remains to be seen how companies will adapt to this change and the influence it will have on the overall business landscape. #cybersecurity #risk #regulation

A new SEC rule requires public companies to disclose cybersecurity breaches in 4 days. 🚩 “The SEC finalized a controversial rule on Wednesday that will require publicly traded companies to report material data breaches and other cybersecurity incidents within four days of determining that the incident was "material" — a term that may prove elusive to define.” 🕵🏽 🔹 The rules were first proposed in March 2022, when the SEC determined that breaches of corporate networks posed an escalating risk as their digitization of operations and remote work increased, and the cost to investors from cybersecurity incidents rose. 🔹 A recent IBM Security and Ponemon Institute report found that the average total cost of a data breach rose 2.3% from $4.35 million in 2022 to $4.45 million in 2023. 📍 The SEC is taking cybersecurity disclosures more seriously than ever. 🔹 Over the past 18 months, the SEC has levied an onslaught of fines against public companies for inadequate disclosures of cybersecurity issues. In the latter half of 2021, British company Pearson agreed to pay $1 million, while First American Financial agreed to a settlement of $500K. 🔹 Then, the SEC announced the most significant fine just last week. The donor data management company, Blackbaud, agreed to pay $3 million for misleading disclosures relating to a 2020 ransomware attack that impacted almost 15,000 customers. Final thoughts..💡 The latest fines, combined with the proposed amendments to the cybersecurity rule, strongly indicate that the SEC is taking cybersecurity disclosures more seriously than ever. Public organizations can’t afford to be complacent. #cybersecurity #fraud #bankingindustry IBM Security and Ponemon Institute report: https://lnkd.in/gppMtn8x

Paul Hastings recently issued report on the new SEC Cybersecurity Incident Disclosure rules, continues to get coverage in the trade press "Analysis by Paul Hastings LLP found cybersecurity incident reports have increased by 60% since the disclosure rule went into effect in 2023. The SEC regulation requires public companies to disclose material cybersecurity incidents within four business days of determining materiality.....More than three-quarters (78%) of disclosures were made within eight days of discovery of the incident. The SEC specified that the deadline to disclose is not four business days after discovering the incident but rather when materiality has been determined, but most companies opted to act quickly. A third (32%) filed within four days of discovery. This suggests that companies are reporting quickly to avoid being fined by the SEC for delayed disclosure but too quickly because they have not yet determined the full implications of the incident. This may be why 42% of the companies wound up filing multiple reports for the same incident, each time providing more details, such as quantifiable loss, impact to customer personal data, and notification to individuals and regulators. Companies should continue to evaluate disclosure controls and engage in tabletop exercises to practice the decision-making required to makes such materiality decisions in the event of a cyber incident," the report's authors said.