By: Paul Lehman, Brian Walker -
“Practice the way you play” is an oft-repeated coaching line that’s finding fresh meaning today as companies prepare to report material cyber incidents to the SEC. The SEC’s new rule making that was announced in July 2023 is aimed at significantly increasing the transparency into how companies manage cyber risk. One of the most discussed is the requirement to file an SEC Form 8-k within four (4) business days of declaring a cyber incident ‘material’.
Disclosing a material incident in four business days is going to demand that companies execute core processes on a timely basis – some of these processes don’t even exist yet. To help directors and officers prepare for adopting the new SEC guidelines, we offer some key considerations for each of the main processes that are likely most impacted by the rapid disclosure rules.
Process: Incident Response
This defines the real-time mechanics of detecting cyber incidents and then managing the remediation and restoration of normal operations. Most companies have an IR process defined, but it is often not tested regularly, and roles are often loosely defined and fluid.
Considerations:
Test the IR process once or twice per year, and include the board. Capture lessons learned and track improvements for subsequent drills.
Clearly define all key roles – especially the Incident Commander – and seek to build depth in all key roles across the organization to allow for the inevitable vacations, illnesses, and other real-world demands.
Process: Cyber Incident Materiality Determination
This process will be new for most companies. This new process will require collaboration and input from across the organization – not just technology or cybersecurity.
Considerations:
Assign A Cross-Functional Team to define and manage the process. Task them with defining a set of characteristics that will be considered in determining cyber incident materiality (eg, cost to recover, potential for large-scale litigation for loss of sensitive data, potential damage to the brand, etc. Avoid the temptation to think of this as a technology problem that IT will handle, or worse, that the CISO will do this alone. Those domains will be vital but insufficient – be sure to assign senior leaders from risk, legal, and operations as well to ensure that all perspectives are considered.
Pre-Define the characteristics that will determine if an incident is material or not. Do this now and have it ready before an incident needs to be assessed. Ensure that the executive team and board directors understand and agree with this – before the incident – and be sure to include a variety of incident severities in drills.
Clearly document the “crown jewels” and educate all key stakeholders. The board and executives need to understand which systems and data are vital, why they are defined this way, and the implications that result from their interruption or loss.
Process: Disclosure Management
Most companies have long-established processes and responsibilities for managing disclosures, but most normally function on an annual basis for annual disclosures. The new 8-k cyber disclosures will be new and will need to be defined and released “in a cyber fight”.
Considerations:
Pre-define a cyber incident disclosure template with the cross-functional team and seek to pre-approve as much of the template as possible. Not only will the pre-approval save time during an incident, the drafting and review/approval process will provide an education opportunity to all key stakeholders prior to an urgent situation.
Study early disclosures to learn from the lessons of other companies to gauge specificity and detail, the need for subsequent releases with clarifying information, and reactions from the market and regulators.
Overall Leadership
While these are some of the most-impacted processes, there will be implications across a variety of other processes and all will need to be coordinated and harmonized in real-time. The first ‘live-fire’ incidents will undoubtedly identify weaknesses and drive real-time decisions and creativity. Proactive planning, anticipation of likely issues, learning from others, and drills/practice will minimize the risk and cost of learning in the middle of an incident.
Considerations:
Be proactive to avoid battlefield learnings and mistakes. Conduct proactive planning, anticipate likely issues, and learn from the experiences of others.
Practice by conducting drills on a regular basis – especially near-term while the changes to processes are being drafted and tested.
Disambiguate prodesses and roles. It is easy to adopt a default position that this is a cyber issue and the CISO will handle all of this. The key processes identified here have different requirements and leaders – be clear from the outset how each of these will be run in-parallel with clearly defined leadership roles for each. As a starter to provide a frame of reference:
Incident Response is likely best led by the CISO or a similar alternate
Disclosure Management is likely best led by Legal
Materiality determination should likely be led by Risk, with the active participation of a pre-defined cross-functional team
Crisis Communications should be handled by Communications
Practice The Way You Play: Start Now
The SEC disclosure requirements are already being demonstrated by companies with the misfortune of having cyber incidents in fourth quarter of 2023. Even prior to the formal requirement of issuing 8-k disclosures, MGM, Johnson Controls, and others are proactively releasing incident disclosures.
This new disclosures require maturation of existing capabilities and the adoption of new ones - and this will take time. It is important that directors and officers get ahead of this and be ready for when your organization has an incident - it's when, not if. Start now.