Cybersecurity risk management has been a growing headache for CFOs in recent years. Now, the Securities and Exchange Commission is raising the stakes with new cybersecurity rules that expose corporate leaders, including finance chiefs, to increased personal liability risks, cybersecurity experts told CFO Dive.
Under the rules, which became effective Tuesday, public companies must disclose “material cybersecurity incidents” to the SEC within four days of determining that such a breach has occurred, among other requirements. The rules, which build on past commission guidance, reflect an aggressive cybersecurity enforcement agenda within the Biden administration, experts said.
“In recent years, corporate executives have faced criminal charges over cyber disclosure questions, and as some of the firm’s most senior officers, the personal scrutiny for CFOs and financial leaders will only increase under the new regime,” Tom Reagan, a cybersecurity practice leader at insurance brokerage firm Marsh, said in an email responding to questions.
The SEC in March reached a $3 million settlement with software firm Blackbaud resolving charges that it made misleading disclosures about the scope of a 2020 ransomware investigation.
In late June, SolarWinds disclosed that its CFO and chief information security officer might be facing a civil enforcement action from the SEC over possible violations related to a 2020 cyberattack targeting the company’s Orion IT management platform.
In another high-profile case, the former chief security officer of Uber was convicted last year of covering up a data security breach while his firm was under investigation by the Federal Trade Commission for prior cybersecurity lapses.
The SEC’s rules signal that more federal cybersecurity investigations and enforcement actions are forthcoming, which could trigger other problems for companies, such as class action litigation from shareholders, according to Lenin Lopez, an attorney specializing in corporate governance and securities law at insurance brokerage firm Woodruff Sawyer.
“CFOs will need to gain an understanding, or a better understanding, of cybersecurity risk and potential implications to the company,” Lopez wrote in an email. “The alternative puts the company and the CFO at risk of finding themselves on the other side of a securities suit or a breach of fiduciary duty suit if there is a material cyber incident.”
The commission adopted its new cybersecurity rules in July on a party-line 3-2 vote.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said at the time. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
Critics include the U.S. Chamber of Commerce, which unsuccessfully urged the SEC to delay the rules’ effective date, as previously reported by CFO Dive.
The four-day deadline for disclosing "material” cybersecurity incidents has been one of the most controversial aspects of the new rules.
“Ninety-six hours is not a lot of time to work with when evaluating a cyber incident,” Reagan said. The CFO may need to be closely involved in that process from the very start, along with helping to shape the corporate framework for reporting and managing cyber incidents in general, he said.
While the SEC rules don’t specify whether the materiality determination should be performed by the board, a board committee, or one or more officers, it’s an area where CFOs are well-positioned to play a lead role, according to Scott Kannry, CEO of Axio, a cybersecurity software provider.
“The reality is that CFOs know the financial ins and outs of the business far more than CISOs [chief information security officers] do, so they end up being best positioned to determine, in a defensible manner, whether a potential cyber event could be a material risk,” he said.
At the same time, the rules could also put CFOs at increased risk of regulatory scrutiny and personal liability, according to Kannry. “CFOs already have a fiduciary responsibility to accurately manage and represent the financials of the enterprise, and if they fail in that duty, they can be held civilly or even criminally responsible,” he said. “Think about a situation where a CFO brushes off a cyber event as minor when it likely isn’t, in the intervening weeks and months the company stock trades at an artificially inflated value, and then the reality of the event comes to light and the stock crashes. There will be a lot of fingers pointing at that CFO pretty quickly.”
Besides mandating disclosure of material cybersecurity incidents on form 8-K, the final rules also require public companies to describe on form 10-K their board of directors’ oversight of cybersecurity risks.
Prior to issuing its new rules, the SEC had already taken the position through interpretive guidance that public companies are responsible for disclosing material cybersecurity risks and incidents.
Still, the new rules represent a significant expansion of the prior guidance and could force many businesses to overhaul their cybersecurity programs, experts said.
“With the new SEC cyber reporting rules, companies will need to provide greater transparency into their strategy, as well as their programs for protecting against cyber threats,” Timothy Brown, an audit partner in KPMG's Department of Professional Practice, said. “CFOs will also be certifying that those processes that will now be disclosed are appropriate and effective.”
While the rules are now in effect, the SEC has set compliance dates that are scheduled to come later. All covered entities other than smaller reporting businesses are required to comply with the new breach disclosure requirements starting on Dec. 18. Smaller reporting companies will be subject to these mandates as of June 5 of next year.