Sorry for the follow up, but this morning I listened to PwC's accounting podcast where they shared perspectives on how to prepare for the cyber rule. It was super helpful and featured Kyle Moffatt who spoke at our national meeting. I'd highly recommend it if you're looking for insights on how to prepare.
https://viewpoint.pwc.com/dt/us/en/pwc/podcasts/podcasts_US/gettingreadyforthesecsnew.html
------------------------------
Steve Soter
Executive Advisor
SEC. ESG & SOX Pro Groups
------------------------------
Original Message:
Sent: 10-18-2023 02:11 PM
From: Steve Soter
Subject: Who is leading CyberSecurity Rules implementation at your company?
Thanks for posting Hetal! This really is the major question that teams are asking themselves. Based on the discussions I've had with SEC teams, it's really a joint effort with legal, IT/cybersecurity, audit/risk, and financial reporting teams. From these discussions, it seems like to start out, both the IT and legal teams have been sharing factors they would consider when determining if they thought something was material. Those factors could then be shared with audit/financial reporting teams for their views under the traditional / securities definition of materiality. Once reviewed and finalized as a whole, that then becomes the materiality threshold companies would start to use to determine if anything rises to the level of disclosure. As a next step, often companies have tabletop exercises to work through a theoretical cyber incident and this materiality threshold could be used as part of those exercises to "pressure test" and see if everyone agrees that the materiality thresholds seem right. There's quite a bit of thought leadership out there that help with some of the considerations (including the SEC Pro Q3 meeting!!!).
------------------------------
Steve Soter
Executive Advisor
SEC. ESG & SOX Pro Groups
Original Message:
Sent: 10-13-2023 01:11 PM
From: Hetal Bhuta
Subject: Who is leading CyberSecurity Rules implementation at your company?
The Cybersecurity Rules are going to be effective in December for most companies. The rules themselves have components of legal, internal controls, and disclosures (SEC) on top of the involvement of the cybersecurity team at the Company. Who in most companies is leading this process? It seems very legal heavy and i am trying to understand the responsibility of SEC reporting team in this process? So curious on how others are handling it.
------------------------------
Hetal Bhuta
Dir. Financial Compliance
Roku. Inc.
------------------------------