The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent pending (16/933161) technology: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™)...

  • Member since 2018
  • 1,218 items added with 488,137 views
  • Sep 9, 2021 1:08 pm GMT
  • 227 views

The SEC is working on a NOPR, scheduled for release in October, 2021. This article offers some insights on what public companies can do to prepare for what's coming.

Companies may consider taking the following steps given recent SEC enforcement actions:

  • Show Your Work. Think ahead to what documents and information the SEC would request in connection with an investigation into cybersecurity practices and disclosures, including policies and procedures related to cybersecurity protection efforts, risks, and incidents. For example, companies should be able to show the following:

 

Written Information Security Plan (WISP). Multiple laws, including those promulgated by the New York Department of Financial Services and several states, require that companies maintain WISPs. At minimum, a WISP should align with one of the recognized data security standards, like those issued by the National Institute of Standards and Technology (NIST) or International Organization for Standardization (ISO).

 

Incident Response Plan (IRP). While most companies tend to think of IRPs as technical documents maintained by the IT or IS department, it is equally important to have an executive-level IRP outlining how a company would address the business, financial, and reputational risks posed by a cyberattack. The IRP should also identify members of an executive-level incident response team who would be called upon to make key decisions, including decisions concerning reporting and disclosure during a cyberattack. 

 

Test Your Procedures Through War Gaming. Policies that gather dust on a shelf do little good. Further, testing your procedures for the first time during a live data breach can lead to costly errors. Increasingly, the expectation from regulators is that companies will conduct annual data breach training “war games.” Also known as tabletops, a good war game will simulate a real-life attack, putting senior executives in the position of having to make tough decisions, including around disclosure and regulatory notification, in a safe environment.

 

Board Oversight. A company’s board of directors must address cybersecurity risks as part of its oversight. Given the recent media attention paid to data breaches and ransomware attacks on major corporations, at minimum, a board should consider having a designated committee that provides appropriate oversight over management’s handling of data security risks and incidents. 

  • Disclose Possible Cyber Risks. Every company faces cybersecurity risks, regardless of size or industry, and there truly is no excuse to ignore this risk in your public disclosures. But disclosing cybersecurity risks in periodic reports, including in a 10-K, is tricky. The SEC has advised that risk disclosures should be specific enough to identify risks investors might deem “material,” while acknowledging that companies should not publicly disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” In reality, there may be a fine line between the two. If the company previously experienced a significant cyber event that it did not publicly disclose, it should likely not frame such an event in future filings as a hypothetical risk. Ensure any financial reporting accurately discloses the costs associated with a cyberattack, including expenses and legal fees related to the investigation, loss of revenue, legal claims, or diminished cash flow.

  • Do Not Narrowly Evaluate the “Materiality” of a Breach. The SEC has made it clear that an event that does not have substantial financial impact on a company (e.g., because the losses were covered by a cyber insurance policy) may nonetheless require disclosure, even in an 8-K report, which is required when publicly traded companies need to disclose a material risk promptly. The SEC has urged companies to consider the “range of harms that [cyber] incidents could cause” in evaluating disclosure obligations, including the importance of any compromised information and impact of the incident on the company’s operations, impact on reputation, potential for regulatory investigations or lawsuits, and adverse impact on customer and vendor relationships, etc. In other words, consider more than financial impact when evaluating materiality.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »