SEC Professionals Groups

The Cybersecurity Rules are going to be effective in December for most companies. The rules themselves have components of legal, internal controls, and disclosures (SEC) on top of the involvement of the cybersecurity team at the Company.  Who in most companies is leading this process? It seems very legal heavy and i am trying to understand the responsibility of SEC reporting team in this process? So curious on how others are handling it. 

The Cybersecurity Rules are going to be effective in December for most companies. The rules themselves have components of legal, internal controls, and disclosures (SEC) on top of the involvement of the cybersecurity team at the Company.  Who in most companies is leading this process? It seems very legal heavy and i am trying to understand the responsibility of SEC reporting team in this process? So curious on how others are handling it. 

Thanks for posting Hetal! This really is the major question that teams are asking themselves. Based on the discussions I've had with SEC teams, it's really a joint effort with legal, IT/cybersecurity, audit/risk, and financial reporting teams. From these discussions, it seems like to start out, both the IT and legal teams have been sharing factors they would consider when determining if they thought something was material. Those factors could then be shared with audit/financial reporting teams for their views under the traditional / securities definition of materiality. Once reviewed and finalized as a whole, that then becomes the materiality threshold companies would start to use to determine if anything rises to the level of disclosure. As a next step, often companies have tabletop exercises to work through a theoretical cyber incident and this materiality threshold could be used as part of those exercises to "pressure test" and see if everyone agrees that the materiality thresholds seem right. There's quite a bit of thought leadership out there that help with some of the considerations (including the SEC Pro Q3 meeting!!!).

The Cybersecurity Rules are going to be effective in December for most companies. The rules themselves have components of legal, internal controls, and disclosures (SEC) on top of the involvement of the cybersecurity team at the Company.  Who in most companies is leading this process? It seems very legal heavy and i am trying to understand the responsibility of SEC reporting team in this process? So curious on how others are handling it. 

Sorry for the follow up, but this morning I listened to PwC's accounting podcast where they shared perspectives on how to prepare for the cyber rule. It was super helpful and featured Kyle Moffatt who spoke at our national meeting. I'd highly recommend it if you're looking for insights on how to prepare.

https://viewpoint.pwc.com/dt/us/en/pwc/podcasts/podcasts_US/gettingreadyforthesecsnew.html 

Thanks for posting Hetal! This really is the major question that teams are asking themselves. Based on the discussions I've had with SEC teams, it's really a joint effort with legal, IT/cybersecurity, audit/risk, and financial reporting teams. From these discussions, it seems like to start out, both the IT and legal teams have been sharing factors they would consider when determining if they thought something was material. Those factors could then be shared with audit/financial reporting teams for their views under the traditional / securities definition of materiality. Once reviewed and finalized as a whole, that then becomes the materiality threshold companies would start to use to determine if anything rises to the level of disclosure. As a next step, often companies have tabletop exercises to work through a theoretical cyber incident and this materiality threshold could be used as part of those exercises to "pressure test" and see if everyone agrees that the materiality thresholds seem right. There's quite a bit of thought leadership out there that help with some of the considerations (including the SEC Pro Q3 meeting!!!).

The Cybersecurity Rules are going to be effective in December for most companies. The rules themselves have components of legal, internal controls, and disclosures (SEC) on top of the involvement of the cybersecurity team at the Company.  Who in most companies is leading this process? It seems very legal heavy and i am trying to understand the responsibility of SEC reporting team in this process? So curious on how others are handling it.