Good morning.
Four business days. That’s how long public companies have to report to the U.S. Securities and Exchange Commission (SEC) a cybersecurity breach that may impact an organization’s bottom line.
The SEC announced the adoption of new rules on July 26 that requires the disclosure on the new Item 1.05 of Form 8-K of any cybersecurity incident the company determines to be “material,” along with a description including the “nature, scope, and timing,” and likely impact.
The new rules also add Regulation S-K Item 106, which will require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, and the board of directors’ oversight of risks from cybersecurity threats. These disclosures will also be required in a registrant’s annual report on Form 10-K.
The new rules will take effect in December or 30 days after publication in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, the SEC announced.
Many companies have already been sharing information on cyber incidents in 8-K forms, but there’s now a standard. And CFOs are increasingly tasked by companies to have a greater role in regulatory reporting. In Deloitte’s CFO Signals Survey for Q2 2023, finance chiefs cited increasing regulations and working with regulators as one of their top challenges related to managing enterprise risk (43%). And implementing processes to identify, monitor, and address risks was also listed as a concern (27%).
It’s crunch time…for some
Since March 2022, there was indication that the SEC would take some action on cybersecurity reporting, and public companies should have been preparing, according to Courtney Adante, president of the security risk advisory at Teneo, a global CEO advisory firm. In addition to managing the division, Adante supports Fortune 500 clients with the design and delivery of enterprise security strategy programs including cybersecurity risk management.
“My perspective is the SEC was really aiming for more transparency for the investment community,” Adante says. “What I’ve seen is companies, particularly in highly regulated industries or sectors like financial services, or even defense, were largely positioned ahead of the game because they’ve had to adhere to regulation for some time now. For other industries and other sectors that may not have been spending the time here, it’s crunch time. I think that they’ve got a window of about six months to get themselves organized before these rules go into effect.”
What role does Adante think CFOs will play in SEC reporting? “The materiality assessment in terms of business disruption, and impact to financials and bottom line, obviously, lies with the CFO,” she says. “But the CFO will need to make that decision informed by a whole suite of stakeholders within the company and peers in the C-suite, and below, in the ensuing days and weeks after a breach in order to make that decision on materiality.”
If it is a material breach, and worthy of being reported to the SEC, how does a company beat the clock on the four-day rule? Prepare around crisis management to have the “ability to very quickly mobilize as an executive leadership team to share information and do that in a seamless way,” Adante explains. “And not only ensuring that they have those incident response and crisis management frameworks in place, but test them out now.”
Guy Melamed, CFO and COO at Varonis Systems Inc. (Nasdaq: VRNS), a software company that provides data security and analytics, shares his perspective. “CFOs are usually responsible for many things, but the SEC rules mean they now have to gain knowledge of one more subject that was never taught in any accounting class: cybersecurity,” Melamed says. “The responsibility for keeping companies secure is still under the security team—but CFOs must start stepping up and asking questions about their organization’s security, and the right ones. All too often, risk starts when critical information is overexposed.”
What’s a good security question? “Ask your [chief information security officer] who can or who has accessed your financial statements in the last 30 days. If they can’t answer you in five
minutes, you are exposed,” Melamed says.
Sheryl Estrada
sheryl.estrada@fortune.com
Big deal
A report by S&P Global Market Intelligence finds that publicly traded media and telecom companies in North America collectively raised $868 million through capital offerings in June. The total represents a "significant decline" from the revised $26.51 billion raised in May 2023 and the $1.33 billion raised in June 2022, according to the report.
Going deeper
The Federal Reserve's July 2023 Senior Loan Officer Opinion Survey on Bank Lending Practices released on Monday found that in the second quarter of 2023, a growing number of banks tightened lending standards. "Regarding loans to businesses, survey respondents reported, on balance, tighter standards and weaker demand for commercial and industrial loans to firms of all sizes," according to the report. "Meanwhile, banks reported tighter standards and weaker demand for all commercial real estate loan categories."
Leaderboard
Jami Rubin was named CFO at Boundless Bio, a clinical-stage, oncology company. Rubin brings more than 30 years of experience to the role. Rubin was most recently CFO of EQRx. She spent the majority of her career as a biopharma equity analyst, including as a partner at Goldman Sachs. Rubin also served as a Partner at PJT Partners, a global advisory-focused investment bank.
Monica Vinay was named CFO at Visual Edge IT, Inc., which specializes in managed IT services and security, and cloud computing. Vinay's experience has been focused on finance and analysis. Most recently, she served as interim CFO and VP of investor relations and treasurer at Myers Industries, Inc. Before that, Vinay was the director of finance at Barnes Group, Inc.
Overheard
"We forecast house prices in 2023 to finish the year flat versus 2022 before falling 2% in 2024 as affordability continues to adjust slowly back to long-run averages and inventories begin a slow climb off multi-decade lows."
—Morgan Stanley housing analysts wrote in a research note they expect home prices to hold steady year over year in 2023, before trending lower in 2024, Yahoo Finance reported.
This is the web version of CFO Daily, a newsletter on the trends and individuals shaping corporate finance. Sign up to get CFO Daily delivered free to your inbox.
