Last July, the U.S. Securities and Exchange Commission (SEC) adopted rules requiring public companies to provide more detailed disclosure of material cybersecurity incidents and to report on their cybersecurity policies, including risk management, strategy, and governance.
These new rules went into effect in December and also apply to foreign companies listed on U.S.-based stock exchanges or with instruments negotiated on U.S. exchanges. About 15 Brazilian companies are currently listed in the U.S., and 50 others have an American Depositary Receipt (ADR), a bank-issued certificate representing a certain number of shares of a foreign company that can be traded in the U.S.
In a statement to the market, Erik Gerding, director of the SEC’s corporation finance division, said the commission is not trying to mandate specific cybersecurity defenses or practices.
“Publicly traded companies have the flexibility to decide how to address cybersecurity risks and threats based on their own particular facts and circumstances,” he said. “Investors have indicated, however, that they need consistent and comparable disclosures in order to evaluate how successfully public companies are doing so.”
Incidents must be disclosed within four business days of the company’s determination that the event is material in a dedicated section of a Form 8-K report. This timeframe is consistent with the reporting of other events, such as entering into or terminating a contract or filing for bankruptcy protection. More specifically, it means disclosing the nature, scope, timing, and material (financial and/or operational) impact of the incident.
Smaller companies, defined by the SEC as organizations with a public float of less than USD 250 million or annual revenues of up to USD 100 million, have more time (180 days) to disclose incidents.
The SEC is also asking companies to disclose which, if any, senior management positions or committees are responsible for cybersecurity threats and what their expertise is. It is also asking companies to describe how their board of directors oversees risks from cybersecurity threats and, if applicable, identify any relevant board committee or subcommittee and explain how the board or such committee is informed about such risks. In other words, it’s more about how companies identify and address threats than it is about the number and type of attacks.
Under the new rules, companies will also have to describe their information security risk management and governance procedures not only in the event of an attack, but also in a new item (106) on their Form 10-K, which they must file annually, starting with those whose fiscal years ended on or after last December 15.
Companies that fail to comply will be subject to financial penalties, including fines and regulatory scrutiny. The SEC also makes it clear that the more sensitive the company’s core business is to these cybersecurity risks, the higher the level of regulatory scrutiny.
Curiously, the new rules are already being used as a weapon by attackers. Last November, a ransomware group called Alphv/BlackCat filed an SEC complaint against one of its victims, MeridianLink, for failing to report the incident to the regulator.
What can be disclosed?
Finding the balance between what to say and what not to say can be tricky because the SEC’s rules, other than those described above, are somewhat vague. For example, they do not define materiality or set standards for each of the issues that must be addressed when reporting an incident.
At the same time, the regulator says that companies do not have to disclose information about attack mitigation so as not to interfere with ongoing rescue efforts.
In Brazil, the head of the country’s Securities Commission (CVM), João Pedro Nascimento, recently said that the authority does not intend to issue specific regulations on cybersecurity. He spoke on the topic not only because of the SEC’s new rules, but also because of a survey that found that B3-listed companies have a medium level of information security maturity, with an average score of 4.9 on a scale of 0 to 10.
The survey, conducted by the Brazilian Association of Public Companies (Abrasca) and the global research and development network The Security Design Lab (SDL), interviewed 109 companies from various sectors. Based on the results, Abrasca created a working group to monitor the issue and is training executives from listed companies.
The score was based on the latest version of the U.S. Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), which has a complex methodology.
“Alongside the areas of information security and investor relations, we are evaluating what information we can and cannot disclose. For example, we considered disclosing our NIST maturity score, but we wonder if someone who knows the research methodology could infer our policy from the result,” says Marina Pequeneza de Moraes, sustainability and social impact manager at Cogna, an education holding company that not only has ADRs, but one of its companies, Vasta, has been listed on the Nasdaq since 2020.
Ms. Moraes explains that Cogna already meets most of the new SEC requirements — having made a number of improvements to comply with Brazil’s data protection law, which came into effect in 2020. However, some changes may be needed in terms of the governance structure around cybersecurity, as information security issues currently fall under the umbrella of C-level and executive committees, rather than the company’s board of directors.
Again, the question is how to describe this potential new structure.
“How much can we disclose about defensive methods and processes? Since 2021, we have published quarterly sustainability indicators. Information security was not one of them, but it could become one. The initial idea would be to start by disclosing the materiality of this topic — which is currently zero, as we have never been the victim of a successful cyberattack — and to briefly explain our governance and provide links to the information handling policies we have in place. But we still need to find the right measure of how much to report.”
Readiness under review
Carolina Senna, director of investor relations at utility Cemig, says that in the CVM reference form and the SEC’s Form 20–F, the issue of cybersecurity is already included in the risk factors.
“We have discussed this internally and understand that we do not need to make any changes [to these documents], but we need to be prepared to report material incidents as required if a new attack occurs,” Ms. Senna explains.
This means having response processes outlined and ready to activate quickly, which is causing several companies to review their protection mechanisms and teams.
Cemig was the victim of a cyberattack in 2020. A ransomware invasion affected part of the company’s servers, and its website was offline for almost two days.
“Thanks to the quick detection, there was no major damage. For example, our databases [of customers and suppliers] were not compromised. If we had to report that incident now, we would also have to estimate the financial damage. At the time, there was almost none because the attack did not interrupt our operations,” says Ms. Senna.
She adds that after the attack, Cemig made several improvements, such as implementing more access controls. The company will invest BRL 1.6 billion in information technology this year, including security improvements.
“Our role in IR is always to provide the best possible information to investors and stakeholders. The new SEC requirements are in that direction, although they leave it up to us how to do that, at least for now,” says Ms. Senna, adding that her team is keeping an eye on other U.S.-listed utilities to see how they comply with the new rules.
As time passes and companies find ways to comply with the SEC’s requirements, the regulator is also expected to improve its resolutions and make them more specific.
According to Fabiane Goldstein, founder of FG-IR and a reference in IR for Latin American companies, this entire movement tends to influence other instances of internal and external control of companies.
For her, the SEC’s new rules also tend to have a ripple effect on suppliers and stakeholders, who will also have to find ways to improve their information security policies.
Brazil is consistently one of the top five countries targeted for cyberattacks, which should also lead to new requirements for prevention and protection. Brazilian financial institutions will also have to comply with new rules regarding information security in Brazil.
In March last year, the Central Bank issued a resolution requiring all boards of directors of regulated financial institutions to understand the principles of information security and how to apply best practices.
In addition, as of November this year, regulated institutions will be required to share information on fraud threats in order to improve preventive controls and procedures and reduce risks in their operations.
Search
