Disclosure about Cybersecurity Incidents in Periodic Reports

Article Brief 3 of 5 From Clearwater Founder and Executive Chairman, Bob Chaput

In article 2 of 5, Bob Chaput explained the SEC’s proposed change to require that public companies file a Form 8-K within four days of a material cybersecurity event. In his third article of the series, Clearwater’s Founder and Executive Chairman explains the SEC’s recognition that companies will learn more about the severity and impact of an incident over time.

To balance the short-term notification of the Form 8-K, the SEC is proposing changes that would require registrants to “disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K” in quarterly Form 10-Qs or annual Form 10-Ks for the period (the company’s fourth fiscal quarter in the case of a yearly report) in which the material change, addition, or update occurred.

What kind of changes might be included in these forms? According to the proposed rule, the following non-exclusive examples could be included:

  • Any material impact of the incident on the registrant’s operations and financial condition
  • Any potential material future impacts on the registrant’s operations and financial condition
  • Whether the registrant has remediated or is currently remediating the incident, and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes.

In his article, Bob explains that the proposed changes would also require disclosure when a series of previously undisclosed, immaterial cybersecurity incidents become material in the aggregate.  

In other words, the SEC calls for organizations to consider whether a series of incidents taken together increase the severity of impact on the organization and, therefore, would be relevant for investors to know.

The big takeaway here is that periodic reporting means that cybersecurity incident disclosures are not a once-and-done matter. Best practice is to be both backward-facing and forward-looking when evaluating the impact of cybersecurity incidents on your business.

Now is the time to formalize your cybersecurity incident response plan; think about business impact analysis, incident response, and disaster recovery. These strategic initiatives drive cyber resilience so you can minimize downtime and the impact on care delivery in the event of a cyber incident.

Bob recommends that management and boards of directors ask and discuss the following regarding cybersecurity incidents in periodic reports:  

  1. Does your organization monitor the previous cybersecurity incidents to identify subsequent impacts on your operations and financial condition?
  2. Does your organization formally document risk treatment decisions and actions following each cybersecurity incident?
  3. Do your cyber incident response and reporting practices today capture and document all incidents so that you can analyze, correlate, and aggregate individual cybersecurity incidents for materiality?
  4. Are you prepared to provide regular updates regarding the previously reported incidents when and for so long as there are material changes, additions, or updates during a given reporting period?

This brief contains just some of the insights Bob Chaput shared in his original article; you should take a minute to read it in full here.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.
Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.

Connect
With Us