Real Talk on the SEC Cybersecurity Disclosure Rule

Key Takeaways

In this bonus episode of Off the Books, Catherine and Steve host Alan Wilson of the law firm WilmerHale to think through how companies will comply with the SEC’s final rule on cybersecurity disclosures.

Show notes:

• Read Steve’s summary of the cybersecurity rule adopted by the U.S. Securities and Exchange Commission

• To meet and talk to other SEC filers about how they’re complying with new rules, register to join the SEC Professionals Group (it’s free!)

Steve: Hello, and welcome to Off the Books, where we surf the uncharted waters of accounting, finance, risk, and wherever else the waves take us. This episode is brought to you by Workiva, the one platform that helps you create integrated reports of financial and ESG data that's ready for third-party assurance. So assured integrated reporting—it's a thing. My name is Steve Soter, accounting enthusiast and Diet Coke aficionado. I'm looking forward to debiting a terrific conversation, and I'm so happy to have you with us. I'm also very happy to have Catherine Tsai joining me in this bonus episode. Catherine, could you please tell everyone about yourself?

Catherine: Sure. I'm not an accountant or Diet Coke aficionado, but I like venti soy chais and asking questions. So I'm here to do more of that. And one topic that might have raised some questions for our listeners is the new SEC cybersecurity disclosure rule.

Steve: Absolutely. We thought we'd phone a friend who has visited the podcast before, so we are very excited to be talking to Alan Wilson, counsel at WilmerHale.

Alan: Pleasure to be back with everybody. It's good to see some familiar faces to chat with you again today about the cyber rules.

Steve: Well, I'm wondering, Alan, maybe to get us started, what's your brief summary of what the SEC passed?

Alan: Yeah. So these are new cybersecurity disclosure rules, which really have two elements. One is incident reporting on current reports on Form 8-K and 6-K, and then annual reports in Form 10-K that go to governance and oversight of cybersecurity-related risks. The incident reporting, of course, is on 8-K, due within four business days of the company's determination that it has suffered a material cyber incident. And then the annual reporting goes to the broader constructs around how these things are overseen. So it really is giving investors and the public more information about cybersecurity than is currently required under the current disclosure framework.

Catherine: And the SEC didn't really specify a timeframe for when companies need to determine whether a breach is material or not, other than to say you have to do it without "unreasonable delay." So in your mind, what's unreasonable?

Alan: Yes. So the unreasonable delay is interesting. And the adopting a release actually includes some interesting language that helps. And really, as you think about it from the start, what we're talking about here is companies need to be taking what the release refers to as an informed and deliberative process to make these materiality determinations. So in response to comment that the SEC had changed the initial standard, which would have been as promptly as practicable or some other similar phrase, so the SEC is recognizing that it is an informed and deliberative process that companies undertake and recognizes as well that it should not be rushed prematurely.

Interestingly, there are a few examples, though, where the SEC illustrated what might be an unreasonable delay. And that, some of the context involved—the first example was whether the breach involved the company's "crown jewels," and in that instance, the SEC was suggesting that it would be unreasonable for a company to insist that it had full insight into the entire panoply of information available if in fact it clearly affected the crown jewels, suggesting that you couldn't unreasonably delay in that instance. Admittedly, they's still gray into what that means. What's the timing? How many days is that? What level of detail is enough to make the determination? But clearly there is some assessment involved as it relates to the actual elements that are affected by the cyber breach. Recognizing, too, that part of that is an iterative process, right? When a breach first occurs, oftentimes the root cause analysis is required to figure out the breadth of the breach. So there's still a bit of flexibility of the standard.

The other one that the SEC cited, which is interesting is, as it relates to the incident response plans and policies that companies have in place, noting that it would be unreasonable for companies to amend those policies to extend their ordinary existing cybersecurity response times. So some thought will need to go into what that looks like from an existing plan or new plan that's being put in place.

And then last, as it relates to whether the determination involves board input, and the SEC in that instance had noted that intentionally deferring the committee's meeting on the materiality determination past the normal time it would take to convene the members of the board to make such a determination would constitute an unreasonable delay. So there are some illustrative guiderails that the SEC has provided, and it's worth exploring those in greater detail if a company is in such a circumstance. But indeed there's still facts and circumstances to be assessed in each and every situation, which will make them all differing across the board.

Steve: So if I could maybe paraphrase those a little bit with respect to the crown jewel, the first one. Some breaches are so big, so large, so important that really no materiality analysis is necessary in that you're going to know very, very quickly that this was material, even if some of the finer points were not understood. The second would be, hey, you shouldn't be amending policies or anything that you would normally do as a result of this breach to try to change or delay the normal process. And the third, you certainly don't want to delay any meetings, particularly with the board, again, to try to buy yourself just a little more time for this analysis. I realize that was probably a gross paraphrasing there, Alan, but is that the gist of the illustration?

Alan: Exactly. Yep. Correct.

Steve: Gotcha. And it's interesting because, you know, one of the things that I think about is this is another example of what begins at least as a non-financial input now having to go through the framework of a materiality assessment. And I don't want to geek out too much for our audience, but if you're talking just dollars and cents when it comes to SEC disclosure, there's a pretty well understood recognized framework for determining if something is material quantitatively and qualitatively. The SEC has a bulleted long-cited SAB 99 that you know that accountants like to use. But now if we're talking about breaches, cyber breaches, other than we've lost revenue or we have liability to our customers or whomever you know the data belong to—outside of that, to me I start to think about, well companies sure already have processes to consider whether human capital factors are material or climate risk, and those are under existing SEC rules. So, to me, it's like you should already have that framework. But to be totally candid, Alan, I'm not sure many companies do, and this feels like another example of where accountants are having to get into a materiality analysis that's going to take a much broader group of people in order to make that determination, including folks like yourself, you know? Securities counsel.

Alan: Yeah, no, I think that that's right. You know, the standard is anchored in the traditional securities law definition of materiality, which is what underlies many of the SEC disclosure rules, and that is whether the incident is material, if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or if it would have significantly altered the total mix of information made available. That's the construct through which you analyze the materiality determinations in this respect and in many others in the securities law. So companies are indeed familiar with that.

You're right that cyber is certainly challenging because the facts and circumstances are difficult depending upon the nature of the breach, the evolution of cyber threats that companies face, and the way that they might manifest over time. And so there is a bit of an evolution in terms of how that gets considered from a disclosure perspective. It's worth noting—you obviously cited SAB 99, which I as a recovering accountant am certainly comfortable with, and I think many are—but as a reminder, materiality considers both quantitative and qualitative factors, which indeed SAB 99 makes clear. So here you certainly do look at the dollars and cents, but it's also important that you consider the breadth of other qualitative impacts on the company. Thinking about crown jewel, right? You know, even if the initial dollar threshold might be small and the investigation hasn't yet commenced, you're talking about the most valuable assets of a company. And so indeed that by its nature might be material. It again depends on facts and circumstances. And that is indeed the challenge with these is making those determinations in real time.

The one interesting point, of course, is, you know, in this adopting release, there's discussion about, you know, doubts about the critical nature of the relevant information that's provided. And the SEC gives some credence to that being, you know, a factor of consideration, noting, of course, that in the SEC's view those should be resolved in favor of those who the statute is designed to protect, which is the investors. So there is a question on how you apply that. It's an interesting statement, and I think it's a point that you'll see further analysis and thought coming out of the legal interpretations going forward as to how this actually gets applied. But it is indeed probably an evolving complex and it will involve, most notably, the disclosure committee of most companies that will be tasked with, I think, initially figuring out how to operationalize this from an entity control perspective and making those determinations.

Commercial: Amplify is the conference for accounting, finance, ESG, audit, and risk professionals. Join us in Nashville, September 19-21 for workshops, keynotes, and the entertainment Music City's known for. Register at workiva.com/amplify.

Catherine: Well, it sounds like the SEC isn't really wanting you to sit around twiddling your thumbs if you have an incident in determining whether it's material or not. How do you prove that you were acting on this in a timely manner?

Alan: Yeah, I think that will indeed be the challenge. You certainly don't want facts or documentation that suggests that you purposely delayed. So emails that say "let's hold off the meeting because we don't want to disclose" is certainly not something you want to have in the documented record. There could be very well good reasons to wait to have meetings and delay, so don't misunderstand. I think, again, each of these scenarios will be analyzed in their given context, given the facts, and really applying the business judgment of the company in terms of gathering sufficient information to make an informed decision. For purposes of disclosure, balancing the various interests, which is premature disclosure that might not be informed, making the appropriate materiality determinations, and then really considering the relevant inputs that need to be considered in what is really a challenging circumstance. Anybody that's lived through a cybersecurity incident knows well that it is indeed a fire drill type situation, and it's one of the areas where you do the best you can with the information you have, and you continue to learn as much as possible. And I think that there's a degree of deference that should be applied to companies and will be indeed as they look at these types of scenarios.

Obviously, you know, obviously for the accountants it brings about questions about controls, and controls are indeed important. You'll want to make sure that those are being considered in terms of their operations and making sure that they capture appropriate cybersecurity disclosure requirements, which are now added to 8-K. So you do have a new reporting obligation to build into the control framework and to think about. And ensuring that those are in place are, I think, critical to ensuring that at least you've taken initial steps to make sure you're satisfying your disclosure obligations.

Steve: I think one thing that is going to be extremely important and aligned with everything that you just shared, Alan, is the importance of contemporaneous documentation. And for our audience, when you're undergoing a significant transaction or there's a new type of business operation or something where you may have to apply new accounting—we can say that generally, new accounting—often your auditors and in some cases even your securities counsel are going to want some kind of supporting documentation about the position. OK, here's the information. Here's kind of how we interpret it. This is the conclusion for how we go in to account for that. And that can make it a lot easier for auditors to get their hands around it, securities counsels, and others to be sure that it's being disclosed in the right way.

But they often talk about, hey, do that contemporaneously—don't just save all that work and paper it up at the end. Be recording those things as you go. And to your point about, hey, a cyber breach is a bit of a fire drill. It feels like that contemporaneous documentation becomes increasingly important because you could easily imagine the SEC looking at, you know, when this new 1.05 item shows up on an 8-K and then inevitably the date of the breach is going to be disclosed. Very quick to figure out, OK, how much time passed. And you could see that the SEC may be having a rule of thumb over time. Well, you know what? Any more than a month, yeah, we're probably going to ask you for that documentation or certainly longer than that. And I just feel like that becomes so important that you're documenting that along the way so that you're not caught flat footed when you eventually get asked a question, because I think it's pretty likely if it was an unreasonable amount of time, can't really say exactly what that was, but that the SEC would want to see what exactly was happening behind the scenes.

Alan: Yeah, I think that that's fair, and it's something that companies will want to think about. And there will indeed be practices and common trends that apply going forward. As with all new rules, people will get into a groove and there will be a cadence to these things and data available to benchmark to figure out what's reasonable and what becomes reasonable, if you will, based upon both company responses and then SEC comments in response there too.

Catherine: Well, one of the interesting parts of the rule is that there is an exception to having to file an 8-K disclosing a breach within four business days of determining the materiality: if the U.S. attorney general determines that it's a matter of national security or a threat to public safety. And so that leads us to our closing question of the day, Alan. In what situation would you want Merrick Garland to write an excuse note for you?

Alan: I'm hopeful never to be in a situation where I need an excuse note from the attorney general. Though, hopefully, if facing a cybersecurity breach, it would indeed be whatever effect I had so that it would delay the reporting and allow sufficient time to provide the notice. Now, what that does can be avoided.

Steve: Very well said. Very well said. Catherine, since I know you're going to ask me anyway, and this in a little bit of transparency and embarrassment, in seventh grade, a buddy of mine really wanted to skip class and go to the arcade, which was a mall down the street, not a short walk, by the way, and play the Atari game. I think it's like Cruis'n USA or something like that, where the steering wheel like actually moved or whatever. I will admit for our audience, I actually forged a note from my parents as best as I could in seventh grade, and it was so painfully obvious. I can't believe the office actually let me walk out the door, but I'm pretty sure what they did is call my mom said, hey, just want to let you know what your son just did. Anyway, I felt the wrath of my parents when I got home. But I'm wondering, had I had a note from the attorney general, maybe that would have gotten me out of that trouble. Who knows?

Catherine: Yeah. What games did you play?

Steve: I played that Atari game, that driving game. And you know what? I was so bad as a seventh grader. How well can you drive? Those were like, 30 seconds. I mean, I was just going through the corners, right? One after another after another. We probably took us all of 15 minutes to run out of money. And then what do we do? Because that's the challenge when you skip class. How do you get back into school, or how do you show up at all but at a random time? These were things that had not occurred to me as a seventh grader. And I will tell you, I rarely did that again.

Catherine: Sounds worthy of a Merrick Garland note, I suppose.

Steve: Well, I suppose. How about you, Catherine?

Catherine: I very briefly worked at a tortilla factory. I think I could have used a note to maybe get out of having to work on the assembly line one day because I was really bad at it. So it really would have been for the good of my coworkers if I didn't show up that day. I'm sure.

Steve: And maybe, yeah, maybe a help to national security. I don't know.

Catherine: That's right. And I'm sure.

Steve: Alan Wilson from WilmerHale, thank you so much for joining us and coming on. It was short notice, and I know you were probably just like up to your eyeballs in Q's and K's and everything else you probably have going on. So thank you so much.

Alan: Absolutely always delighted to speak with you both.

Steve: Well, and thank you, dear listener, for surfing along with us. I'm Steve Soter. That was Catherine Tsai, and this has been Off the Books presented by Workiva. Please subscribe. Leave a review. And as always, tell your buddies, if you like the show. If you're watching this on YouTube, we would love for you to leave a note in the comments, or feel free to drop us a line at OffTheBooks@workiva.com. Surf's up and we'll see you on the next wave.