Understandably, much of the attention related to cyber disclosures relate to how – and when – to make disclosure related to cyber incidents in a Form 8-K. But perhaps equally as important is consideration of what you should be disclosing in your Form 10-K and in your proxy statement. (Part II of this blog will provide good sample disclosures).
Several of our Form 10-K Transparency Criteria dovetail nicely with the SEC’s new cyber disclosure rules, including:
- Transparency Criteria #20: “The company discusses cybersecurity in the context of risk.”
- Transparency Criteria #21: “The company discloses whether the Board or applicable Board Committee receives reports or summaries of any cybersecurity risk assessments conducted by a third party.”
Then consider #63 of the ESG Report Transparency Criteria: “The company provides an overview of its overall strategy and policies relating to cybersecurity.”
And finally, consider #42 of the Proxy Transparency Criteria: “The document includes a dedicated section, subsection or callout discussing the board’s role in oversight of information security/cybersecurity/data privacy risks.”
Between all of these disclosures, stakeholders should get a sense of the level of board oversight for cyber-related issues within the company. Questions such as:
- What is the company’s approach to cyber in general?
- Is the company continuously improving its cyber readiness processes?
- Is the board (or the appropriate board committee) using its power to hire experts to help oversee this important area?
- How closely is the board (or board committee) following what third parties hired by management are saying about the company’s cyber readiness?
- Is the board getting unfiltered information?
- Does the board (or board committee) have the unfiltered right to ask the hard questions about how the company’s cyber readiness plan is working? And getting straight answers?
- Is the board delegating too much of its oversight responsibility in this area?
- Is management exercising its right to hire third parties to test the company’s cyber readiness?
It’s true that providing these cyber disclosures across three types of disclosure documents can be confusing. It’s important that the disclosures are consistent – but not repeated verbatim. Thoughtful consideration should go into the disclosure for each of these disclosure documents, as the type – and level – of disclosures should match the context in which the intended audience for each relates…