Disclosure about Cybersecurity Incidents in Periodic Reports

Article Brief 3 of 5 From Clearwater Founder and Executive Chairman, Bob Chaput

In article 2 of 5, Bob Chaput explained the SEC’s proposed change to require that public companies file a Form 8-K within four days of a material cybersecurity event. In his third article of the series, Clearwater’s Founder and Executive Chairman explains the SEC’s recognition that companies will learn more about the severity and impact of an incident over time.

To balance the short-term notification of the Form 8-K, the SEC is proposing changes that would require registrants to “disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K” in quarterly Form 10-Qs or annual Form 10-Ks for the period (the company’s fourth fiscal quarter in the case of a yearly report) in which the material change, addition, or update occurred.

What kind of changes might be included in these forms? According to the proposed rule, the following non-exclusive examples could be included:

  • Any material impact of the incident on the registrant’s operations and financial condition
  • Any potential material future impacts on the registrant’s operations and financial condition
  • Whether the registrant has remediated or is currently remediating the incident, and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident and how the incident may have informed such changes.

In his article, Bob explains that the proposed changes would also require disclosure when a series of previously undisclosed, immaterial cybersecurity incidents become material in the aggregate.  

In other words, the SEC calls for organizations to consider whether a series of incidents taken together increase the severity of impact on the organization and, therefore, would be relevant for investors to know.

The big takeaway here is that periodic reporting means that cybersecurity incident disclosures are not a once-and-done matter. Best practice is to be both backward-facing and forward-looking when evaluating the impact of cybersecurity incidents on your business.

Now is the time to formalize your cybersecurity incident response plan; think about business impact analysis, incident response, and disaster recovery. These strategic initiatives drive cyber resilience so you can minimize downtime and the impact on care delivery in the event of a cyber incident.

Bob recommends that management and boards of directors ask and discuss the following regarding cybersecurity incidents in periodic reports:  

  1. Does your organization monitor the previous cybersecurity incidents to identify subsequent impacts on your operations and financial condition?
  2. Does your organization formally document risk treatment decisions and actions following each cybersecurity incident?
  3. Do your cyber incident response and reporting practices today capture and document all incidents so that you can analyze, correlate, and aggregate individual cybersecurity incidents for materiality?
  4. Are you prepared to provide regular updates regarding the previously reported incidents when and for so long as there are material changes, additions, or updates during a given reporting period?

This brief contains just some of the insights Bob Chaput shared in his original article; you should take a minute to read it in full here.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us