# Opener

Moving Beyond Materiality Disclosures for the SEC Cyber Rules

Published by Joe Breen

Shining light on cyber risk management program disclosure requirements

We’ve discussed materiality extensively in relation to the SEC’s new cybersecurity disclosure rules, but it’s time we address other crucial aspects. The ruling mandates companies to disclose information regarding their cybersecurity risk management programs. This encompasses board oversight, senior leadership involvement, incorporation into overall enterprise risk management, and various other details. This requirement aims to furnish investors with a standardized set of information to aid in their decision-making process.

Cybersecurity threats have become a top concern for investors. As threat actors get more creative, the potential financial impacts of cybersecurity events increase. We’ve seen companies like MGM Resorts discuss significant hits to quarterly and annual earnings in the years of cyber events.

With the aforementioned considerations in mind, and for those curious about what cyber disclosure might entail, we examined a vast array of 10-K filings. For the sake of brevity, we’ll focus on two companies here: MGM Resorts International and Lockheed Martin. MGM experienced a security event in September, affording them time to deliberate on their approach to cybersecurity disclosures in the 10-K. Conversely, Lockheed Martin has remained out of the news regarding cyber events, but they seized the new annual disclosure requirement as an opportunity to showcase the strength of their security program.

Board of Directors involvement

 Following an overview of the current cyber threat landscape, Lockheed delves into Board of Directors involvement. While not excessively detailed, they adequately cover what needs to be disclosed regarding their board’s involvement. Their Board of Directors oversees management’s process for handling all organizational risks, including cybersecurity. They receive regular briefings from senior leadership on cybersecurity risks, typically led by the CISO. An interesting note is their commitment to including and reporting all risks to the board, irrespective of their estimated material impacts on the company. Similarly, MGM follows a very similar process, albeit with an additional step. Instead of the CISO directly briefing the board, they brief MGM’s audit committee quarterly. The audit committee then reviews the report, makes amendments, and presents it to the board. The outcome is the same, but MGM adds an extra layer of filtration.

Corporate information security organization

Lockheed Martin emphasizes the significance of their internal organization tasked with managing enterprise risk. They specifically discuss different regulations and frameworks they adhere to, which although not required, shed a positive light on their security practices. They mention compliance with DFARS requirements and their involvement in developing the DoD-developed CMMC. MGM follows a similar trajectory, highlighting their use of NIST and PCI for overall security assessment and privacy concerning card transactions.

Axio has recently partnered with registered practitioners on CMMC engagements leveraging the Axio360 platform.

Book a meeting to learn more.

Third-party risk management

In this brief section, Lockheed discloses the engagement of third parties in cybersecurity management, listing their roles and contributions to staying ahead of cybersecurity threats. Lockheed additionally outlines the standards these third parties adhere to, especially given Lockheed’s close ties with the Department of Defense. While Lockheed Martin provides comprehensive details on third-party risk management, MGM’s disclosure is concise. They state they have a third-party risk management program designed to assess risks based on services provided and the level of access to company data.

The objective of this piece was to showcase two companies that took different approaches to the various sections of the SEC’s new disclosure rules: meeting the requirements and exceeding them. In each category, Lockheed Martin successfully met the requirements prescribed by the SEC while also going the extra mile.

Do you want to not only meet the requirements but go the extra mile in keeping the public informed? Axio is positioned to help with our collection of SEC disclosure offerings. Schedule a call today to learn more.