CFOs are under the gun as the SEC’s new 4-day data breach disclosure window goes into effect

Large public companies now have less than a week to report to regulators a cybersecurity breach that may impact the bottom line.

The U.S. Securities and Exchange Commission’s (SEC) new rule on cybersecurity disclosure went into effect on Monday. It requires public companies to disclose on the Form 8-K any cybersecurity incident within four days of the company determining it to be “material,” such as having a significant impact on the company’s financials, operation, or relationship with its customers. All public companies are now required to use the SEC’s data tagging technology known as Inline XBRL. Smaller businesses have an additional 180 days before required compliance with the four-day reporting rule. 

Companies also have to create annual reports explaining how they manage cybersecurity. The assessment of business disruption and impact to financials will most likely fall under the purview of the CFO.

“CFOs and [chief information security officers] CISOs should learn to speak each other’s languages,” Mike Britton, CISO at Abnormal Security, told me regarding the new rule. The AI-powered email security company earned a spot on this year’s Fortune Cyber 60 list that identifies the fastest-growing startups in cybersecurity. 

“My best advice for CFOs is to get to know your CISO, and through them, better understand how to balance the cost of addressing your cyber-risk level and the cost of the potential consequences of not addressing them,” Britton said. “CISOs need to appeal to the strategic interests of the CFO and communicate how company decisions can create risk. And CFOs also need to understand cyber risk and what risks may impact financial statements and the materiality of reporting breaches.”

Determing a material incident

Since March of 2022, there was indication that the SEC would take some action on cybersecurity reporting. The SEC announced in July when the rules would go into effect, so execs have had some time to prepare.

But with a four-day time frame to report, some companies may be walking a tightrope when it comes to determining what makes a cybersecurity incident material and at the same time responding to that incident and putting out fires.

“We spend a lot of our time with our clients talking through materiality considerations,” Naj Adib, principal of cyber and strategic risk at Deloitte, told me.

When working with clients, Adib starts with the SEC’s guidelines on materiality, determining the nature, extent, and potential magnitude of a cybersecurity incident. “But the SEC is not here to prescribe what cyber capabilities you need to have in place,” he said. “A manufacturing company is going to be different from a financial service company.” 

Adib said companies will need a cybersecurity response team with members such as IT, legal, CIOs, CFOs, and CISCOs, who are looking at your entire process from cyber incident identification, all the way to disclosure. 

Measuring materiality considerations involving qualitative factors like an impact on reputation, implications for relationships with your customers and vendors, or even the impact on talent, can be a challenge, Adib said. But this goes back to having the right cybersecurity response team in place with those who can tell you from the business scope and operations whether what’s happening is really important, he said. 

As companies put a greater emphasis on strengthening cybersecurity, spending is on the rise. Industry research firm IDC estimates that worldwide spending on security products and services will total $219 billion this year, up 12% from 2022, and reach nearly $300 billion in 2026.

The SEC’s new rules are “a potential game changer for the industry and a major tailwind for the cyber security industry,” Wedbush analyst Dan Ives said in a Monday note to investors. 

Sheryl Estrada
sheryl.estrada@fortune.com

Leaderboard

Brian Costanzo was promoted to CFO at Markel Group Inc. (NYSE: MKL), effective Dec. 18. He replaces Teri Gendron, who will leave the company on Dec. 31. Costanzo will also maintain his role as CFO of the insurance business. In this combined role, he will oversee and manage all financial operations for the insurance engine and holding company. Costanzo has been with Markel Group for 14 years, and he has held several leadership positions, including controller and chief accounting officer. 

Tracy Tan was promoted to CFO at Primerica, Inc. (NYSE:PRI), a provider of financial products and services, effective Dec. 20. Tan succeeds CFO Alison Rand, who will remain employed by the company until her retirement on April 1. Tan most recently served as EVP of finance. 

Big deal

The prospect of the ongoing decline in crude oil and other energy prices continuing into 2024 has short sellers focusing on energy stocks. The latest data from S&P Global Market Intelligence found short interest in energy stocks increased 28 basis points from 3.43% at the end of October to 3.71% at the end of November. Communications services, which saw short interest jump 29 basis points, was the only other sector to see a bigger increase over that month-long stretch, according to the report.

Going deeper

"Bank of America warned of a mild recession at the beginning of the year. Now, it says the Fed is close to ‘sticking’ a soft landing," by Fortune's Will Daniel, explains how as the year went on, economic data pleasantly surprised Wall Street, leading Bank of America’s chief U.S. economist Michael Gapen to begin shifting his recession forecast.

Overheard

"As a leader, one of your primary responsibilities is to create an environment that empowers your team to succeed. When a significant percentage of your team is multitasking during meetings, it implies that you haven’t succeeded in making that environment conducive to full engagement."

—Gleb Tsipursky, the CEO of the boutique future-of-work consultancy Disaster Avoidance Experts, writes in a Fortune opinion piece titled, "Stressed-out employees are multitasking to survive virtual meetings—and bosses hate it."