Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Corp Fin and securities lawyers talk cyber disclosures

Valuable lessons learned from initial compliance with the SEC’s cybersecurity disclosure rules.

Share

Attendees at the 2024 AICPA & CIMA Conference on Current SEC and PCAOB Developments heard an insightful discussion about the SEC’s new cybersecurity disclosure rules, which took effect at the end of 2023. The panelists shared crucial data points, compliance issues and best practices.

The new SEC rules on cybersecurity risk management, strategy, governance and incident disclosures are putting pressure on organizations to strengthen their cybersecurity reporting postures. Cybersecurity is no longer the responsibility of only IT and security teams, but something that many areas of the business are involved with.

Erin McCloskey

KPMG Partner, Department of Professional Practice

>> Cybersecurity disclosure basics

The following broad categories of disclosures are required on Form 10-K and Form 20-F:

  • cybersecurity processes;

  • management’s role in cybersecurity governance; and

  • cybersecurity oversight by the board of directors. 

Material cyber incidents are reported under new Item 1.05 of Form 8-K within four business days of determining an incident is material. This form is also used to provide new information about material aspects of previously reported incidents.

Learn more about the basics in our Defining Issues, SEC finalizes cybersecurity rules.

An early look at annual disclosures

This past filing season saw the first annual disclosures under the new cybersecurity disclosure rules. The SEC Staff’s comments during this initial year were not intended to be ‘gotcha’ comments but forward-looking to improve the disclosures in future filings. Sebastian Gomez, Associate Director in the Division of Corporation Finance's Disclosure Review Program, highlighted that the cybersecurity rules do not require companies to change their current practices, but to disclose them. The SEC Staff further shared that simply disclosing that a company has a process is not sufficient, instead they are looking for a description of the process so that a reasonable investor would understand. 

Preliminary observations on incident reporting

All panelists spoke to the challenges experienced around the materiality determination related to incident reporting. Companies are required to timely assess whether cyber incidents are material and, if so, disclose them on Form 8-K within four business days of that determination. While there is no prescribed deadline for determining materiality, the assessment must be performed in a timely manner. John White, partner from Cravath, Swaine & Moore, reminded participants that the clock begins when the incident is assessed to be material – not from the date of the incident – nor the date a company is made aware of the incident.

Earlier this year, the SEC observed companies filing cyber incidents on Item 1.05 of Form 8-K before they had determined the incident was material. As a result, Erik Gerding, Director of the Division of Corporation Finance, issued a statement clarifying that Item 8.01 of Form 8-K should be used to disclose cyber incidents that are either not material or for which the materiality assessment is still in process. Gomez reminded registrants that only cyber incidents that are determined to be material should be included on Item 1.05. 

>> Enforcement of cybersecurity disclosure rules

Although the cybersecurity disclosure rules became effective in late 2023, the SEC has been using preexisting rules to actively pursue cybersecurity investigations against companies it believes have not adequately disclosed cybersecurity risks in their SEC filings. 

These investigations (and some enforcement actions) hinge on whether a company has:

  • materially misrepresented its cybersecurity risk factors or material cyber incidents; and 

  • not maintained adequate internal accounting and disclosure controls to ensure material cybersecurity risks are timely and accurately assessed and disclosed. 

Panelists discussed recent enforcement cases related to the SolarWinds Corp cyber incident and what it means for SEC enforcement actions in this space.

However, as White explained, having comprehensive, well-executed disclosure controls and procedures (DCP) in place around cybersecurity is crucial because more than the very occasional disclosure failure can subject a company to an enforcement action. Even one failure could subject it to civil liability to shareholders and other stakeholders.

Have the right oversight structure

The panelists discussed the importance of board oversight of cybersecurity. Raquel Fox, partner from Skadden, offered the following to establish an effective oversight structure.

  • Ensure the right individuals within the company are timely informed of all incidents. 

  • Maintain thorough documentation discussions about cybersecurity risks. 

  • Assess cybersecurity risks cumulatively  rather than evaluating them in isolation.

  • Ensure that any cybersecurity disclosures remain accurate and reflect the overall health of the company.

White noted that a best practice is to include individuals with cybersecurity expertise on the disclosure committee to assess the implications of incidents accurately. For example, include the Chief Information Security Officer (CISO) on the committee so that cybersecurity risks are evaluated from a technical perspective, enabling more informed decisions. Further, Gomez indicated that the annual disclosure of cybersecurity risks should outline the expertise of each individual rather than referring to the group as a whole.

Disclosure controls and procedures remain key

Under the securities laws, companies must maintain a system of DCP designed to ensure that information required to be disclosed is escalated internally to allow for timely disclosure decisions. While the DCP should be tailored to fit the unique needs and structure of the organization, the panelists noted that a good DCP related to cybersecurity incident reporting will contain items such as:

  • criteria for assessing materiality;

  • the specific responsibilities of individuals involved in the process; and 

  • the procedures for documenting decisions. 

The panelist highlighted that DCP should be regularly reviewed and updated to reflect any changes in cybersecurity risks, regulatory requirements, or the company’s risk profile. By clearly outlining the process, the policy enables materiality decisions to be consistent, transparent and aligned with the organization's overall governance and compliance standards. 

Another reminder: materiality is qualitative and quantitative

Communication is key. Based on the framework in the DCP, the right information must be provided to the appropriate leadership in a timely manner, allowing them to make well-considered assessments of materiality. The panelists remarked that this approach helps avoid premature or overly conservative judgments and helps ensure that the decision to disclose a cybersecurity event is based on a thorough, well-informed evaluation and materiality determination.

As part of the materiality assessment, panelists highlighted the importance of considering both qualitative and quantitative factors.

>> Materiality factors

Panelists offered examples of qualitative and quantitative factors to consider in assessing the materiality of cyber incidents. 

Qualitative factors: reputational damage, loss of customers or vendor relationships, breach of contracts, the nature and scope of the incident (e.g. what was stolen and the potential use of that information), the duration of the attack and the company's response time, and the impact on the SOX reporting system, including whether the system's reliability was compromised and if the attack led to missed reporting deadlines.

Quantitative factors: the impact on a company’s financial condition or results of operations (e.g. reduced revenues), changes in stock price, expenses incurred due to the incident, and costs related to regulatory proceedings or litigation.

There is no one-size-fits-all approach, so companies must develop response plans, controls and procedures tailored to their specific cyber threats and business structures. Ultimately,  the increased involvement of CAOs, controllers and other areas of the business should reinforce the notion that cybersecurity is an enterprise-wide endeavor, not just an IT initiative.

Meagan Van Orden

KPMG Partner, Department of Professional Practice

Read our Corporate Controller & CAO Hot Topic, Cybersecurity Reporting – Navigating the New Requirements.

Accounting Research Online

Access our accounting research website for additional resources for your financial reporting needs.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline