More transparency required in cybersecurity disclosures


SEC focuses on accuracy and completeness


As the SEC places increasing scrutiny on cybersecurity disclosures, some company leaders and boards are facing a critical compliance challenge.


You can’t disclose information you don’t have, and the compliance requirements call for details that may not be readily available to some companies.


“As a C-level executive or as a board member, you need to make sure your organization has processes and controls in place to surface complete and accurate information,” said Grant Thornton Partner, Strategic Assurance and SOC Services Forrest Frazier.


The compliance risks related to cybersecurity disclosures have increased significantly since July, when the SEC issued new requirements for annually disclosing board and management roles in managing cybersecurity threats, as well as cybersecurity processes. Material breaches also must be disclosed within four days.


Headshot of Max Kovalsky

“There’s a level of detail and accuracy that the SEC expects registrants to represent around cybersecurity when they’re filing their 10-K and 8-K.”

Max Kovalsky

Grant Thornton Managing Director, Cybersecurity and Privacy Services

“There’s a level of detail and accuracy that the SEC expects registrants to represent around cybersecurity when they’re filing their 10-K and 8-K,” said Grant Thornton Managing Director, Cybersecurity and Privacy Services Max Kovalsky.


Many companies have made changes to the management and governance of their cybersecurity programs as a result of the new SEC requirement, according to an audience survey from a recent Grant Thornton webcast on the new SEC rule. As a result of the new requirement, among respondents in the survey who did not answer “unsure”:

  • 28% have made changes to their cyber risk management and cyber risk governance processes.
  • 22% have made changes to their cyber risk management processes only.
  • 19% have made changes to their cyber risk governance processes only.




Complete, accurate disclosures


Kovalsky said that because of the changing nature of cybersecurity threats and constant changes in technology, every cybersecurity control is in some state of evolution.


Companies are accustomed to disclosing information internally about the status of cybersecurity practices and controls. CFOs have been meeting with CIOs and CISOs for years to discuss the effectiveness of controls, threat management, potential risks and risks that might not be mitigated yet in a satisfactory fashion.


“But that’s very different from saying you’re ready to disclose it to the public,” Frazier said. “Just like in the MD&A, there’s an onus on management to make sure what is disclosed is complete and accurate.”


However, Kovalsky said one element of the business environment can stand in the way of complete, accurate disclosure. CISOs sometimes go into board meetings under pressure from other executives to make an organization’s cybersecurity risk management processes and protections sound more mature than they really are.


If the board doesn’t have a full appreciation of the risks due to these pressures, it’s more likely that the disclosures to the SEC will be incorrect.


“Boards need to be prepared to ask more granular, pointed questions. It should be a reasonable expectation that the CISO not only describes the risks in qualitative terms but quantifies them to the board or committee charged with cyber risk oversight.” Kovalsky said.


General questions about cybersecurity can include:

  • What framework is management using to design its risk management program and what framework does management use to communicate information about its cybersecurity?
  • Has an assessment of the organization’s cybersecurity risk management program been conducted by an independent third party?
  • What controls and processes are in place to prevent, detect, respond to and recover from cyberattacks?
  • What are the potential financial impacts of the inherent and residual risks? And are those within our risk appetite?
  • What are the returns on our cybersecurity investments?
  • Does the company conduct regular “dry run” scenario planning exercises to practice how it would respond in the case of a breach? (And do those exercises reveal any shortcomings?)
  • What model does the organization use to determine materiality with respect to breaches and disclosures?

Boards should be asking what processes are in place to capture the answers to all those questions and the data that’s necessary for internal and external reporting.


One of the first steps in deciding whether a cybersecurity incident is material may be developing a framework for the determination. Among the Grant Thornton survey respondents who did not answer “unsure”, just 9% have identified the drivers of materiality and tested the framework during a table-top exercise. An additional 24% have identified the drivers of materiality but have not tested them, and 40% are in the process of developing a framework. More than one-fourth (27%) haven’t yet started developing a framework.




Third parties bring objectivity


Boards can encourage a valuable, fresh and neutral perspective by asking whether management has engaged a third party to perform an independent assessment of the organization’s cybersecurity risk management program. Third-party professionals typically possess deep knowledge of cybersecurity that’s obtained through working with many different clients, and their observations can shed new light on an organization’s cybersecurity risk management.


“Knowing that the organization has received an independent assessment of its cybersecurity risk management program should give board members a lot of comfort,” Frazier said.


The board has more questions to ask when the maturity of controls is low, regardless of whether this information is revealed in the CISO’s report or a third-party analysis. At that point, Kovalsky said the board should ask:

  • What risks do the insufficient controls expose the organization to?
  • What is being done to improve the maturity of controls?
  • What is the quantifiable measure of remaining or residual risks?

Kovalsky said organizations with a higher level of cybersecurity maturity employ cyber risk dashboards that automate the aggregation and analysis of data points to answer many of the questions above. These dashboards enable consistent, process-driven reporting to the board at a level of detail that can enable improved cybersecurity governance. Ultimately, the collection and aggregation of key cybersecurity metrics that feed the dashboards instills discipline, rigor and consistency around the data, which can also help organizations provide accurate, complete information about risks and incidents to investors and the SEC.


Headshot of Forrest Frazier

“Boards should make sure they have the information technology and cybersecurity expertise necessary to fulfill their governance responsibilities.”

Forrest Frazier

Grant Thornton Partner, Strategic Assurance, and SOC Services Practice Leader 

Boards also need to consider whether their composition sufficiently supports effective cybersecurity governance. Where needed, boards should bring in third-party professionals on a regular basis to provide education on cybersecurity practices and issues. It’s also important for at least one board member to have extensive cybersecurity experience.


The SEC’s guidance from July does not require registrants to disclose the extent of their boards’ cybersecurity knowledge and experience. But the emerging compliance risks raise the stakes for cybersecurity experience on boards.


“As with financial or legal expertise, boards should make sure they have the information technology and cybersecurity expertise necessary to fulfill their governance responsibilities,” Frazier said.




Coming into the sunlight


Kovalsky likes to compare cybersecurity with politics and religion.


“It’s not something you used to talk about in public,” Kovalsky said.


But now, the SEC is requiring companies to talk with the public about cybersecurity in a very transparent way. In the past, some companies tried to disclose as little as possible about cybersecurity to avoid potential liability and legal issues. That practice of minimum disclosure has been upended by the SEC’s requirements and demands a new way of communicating that should be considered carefully by management and the board.



The Grant Thornton webcast survey shows that many companies have taken steps toward fulfilling these reporting requirements, but some still have work to do. Among respondents who did not answer “unsure”, nearly one-fourth (23%) have identified material cybersecurity risks that will be reported on their next 10-K and have language drafted. One-third have identified material cybersecurity risks but are unsure yet how to formulate the language for the reporting.


But 44% of non-unsure respondents haven’t identified material cybersecurity risks as they prepare to become compliant with the rule. To avoid regulatory exposure, it’s important for them to examine those risks carefully and to be precise when they describe those risks in company reporting.


“Vague, imprecise language is no longer sufficient when they communicate about their cybersecurity posture to investors,” Kovalsky said. “The heart of the matter is that the SEC keeps referring back to investors’ expectations of knowing the full scope of risks. Companies should be mindful of this when they talk about cybersecurity.”



Content disclaimer

This content provides information and comments on current issues and developments from Grant Thornton Advisors LLC and Grant Thornton LLP. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC and Grant Thornton LLP. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

For additional information on topics covered in this content, contact a Grant Thornton professional.

Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.


Our fresh thinking