The recent proposal to adopt a framework that can instruct companies on how to deal with cyber-attacks and define the role of a company’s board in risk oversight and disclosure has raised eyebrows within the IR community.
The framework would establish strategies and governance for companies to follow to counter more sophisticated threats and address concerns related to the pervasive use of digital technologies due to the shift to hybrid work environments, the rise in the use of crypto assets and the increase in illicit profits from ransomware and stolen data.
But while adoption would protect firms against loss of revenue, reputational damage and erosion of shareholder value, industry experts argue the proposed framework is too complex to implement.
‘When I first started looking at the rule proposal, I thought it would be very straightforward,’ said Neil McCarthy, senior director of sales enablement and business development at Morrow Sodali, in an IR Magazine Webinar. ‘As you dig into it and look at the comment letters from law firms and accounting firms, they are very technical and very focused.
‘A lot of the concerns rise around reporting on 8K – there is a lot of complexity on how to do this.’
A tangled web
The 8K form is a report required by the SEC that companies need to file within four business days to announce significant material events relevant to shareholders. The first challenge, experts say, is to define what makes an event material.
‘There is a judgment call to be made on what’s material,’ said Evan Barth, vice president, associate general counsel and assistant secretary at Kyndryl Holdings.
‘Once you have determined that, it’s one decision made. But with cyber-events, the assessment of materiality could change every day as you learn more facts. Disclosing an 8K form is market-moving information and companies would need to be really careful on how they phrase things when they come up with that materiality assessment.’
Barth stressed that disclosure of the report is one of the main challenges the new regulation would bring for companies, which can risk scrutiny for not disclosing information at the right time or disclosing information too early before being able to correctly assess the materiality of the event.
The second biggest challenge of the proposed regulation panelists addressed was the requirement for companies to have cyber-security experts on their board.
McCarthy called for the SEC to ‘back off’ on this specific requirement and put forward a ‘more reasonable’ version that can be met by all companies.
‘The SEC sees that some companies in certain industries have cyber-security experts on the board, but that’s because some companies have more exposure on this front,’ he said. ‘But I think it’s unnecessary for some companies to have a specific designee all the time. It also raises liability concerns for the individuals if they are designated as experts and then something goes wrong.’