Newsletter

The Securities and Exchange Commission (SEC) has published a recent ruling in July of last year Cybersecurity Risk Management, Governance, and Incident Disclosure, making cyber readiness a top priority for executives across organizations, not just the CISO or Head of IT. At Celito, we have partnered with several public life sciences companies to ensure they are not only compliant but also fully prepared to respond to cyber incidents for these new disclosure requirements.

According to this new disclosure ruling, organizations must report any cyber incidents with a material impact within four business days of determining that impact.

What Constitutes a Material Impact?

An incident is deemed material if it significantly affects the organization’s operations, financial standing, legal obligations, or reputation. IT and cybersecurity teams play a crucial role in triggering materiality assessments by identifying scenarios that could lead to significant impacts, such as:

• Business Interruption: This includes shutdowns, disruptions, study delays, data loss, intellectual property loss, or issues with third-party systems.
• Lost Revenue: When cyber incidents result in a loss of business value or revenue.
• Ransom Payments: Situations where an organization is forced to pay a ransom to regain control of its systems or data.
• Remediation Costs: The costs associated with responding to and recovering from a cyber incident.
• Liabilities to Affected Parties: Potential liabilities that arise from data breaches or other cyber incidents affecting customers, partners, or other stakeholders.
• Cybersecurity Protection Costs: Expenses incurred to enhance cybersecurity measures following an incident.
• Lost Assets or Devices: Situations where critical assets or devices are lost or compromised.
• Litigation or Regulatory Investigation Risks: The potential for legal action or regulatory scrutiny resulting from a cyber incident.
• Reputational Damage: The long-term impact on the organization’s reputation, which can affect investor confidence and customer trust.

Reflecting on the First Year of Conformance:

Now that the first year of conformance is behind us, with the 10-K filing cycle completed, through our experiences in consulting with companies within the life Sciences industry, we have observed some key differences between companies that were well-prepared and those that were not.

Companies that were well-prepared:

• Proactive Risk Management: These companies had already established robust cyber risk management frameworks, which allowed them to swiftly identify and assess potential material impacts from cyber incidents.
• Streamlined Reporting Processes: Their well-defined processes enabled timely and accurate reporting of material incidents, ensuring compliance with the SEC’s new requirements.
• Comprehensive Incident Response Plans: They had integrated their cybersecurity incident response plans with other business continuity plans, which facilitated coordinated and effective responses during incidents.

Companies that were less prepared:

• Delayed Response: Some companies struggled with delayed reporting due to inadequate processes for determining materiality or identifying incidents that warranted disclosure.
• Fragmented Incident Management: In organizations without integrated incident response plans, the response to cyber incidents was often fragmented, leading to inefficiencies and communication breakdowns.
• Reactive Approach: Companies that took a reactive rather than proactive approach to cyber risk management found themselves scrambling to comply, often at the expense of their broader operational stability.

With the last year’s ruling effective beginning on December 18, 2023, is your organization ready?

• Does your organization have a cyber risk management strategy in place to assess, identify, and manage material risks?
• Is there a clear process to determine material incidents and report them on Form 8-K within four business days of determination?
• Does your organization have a comprehensive incident response plan that outlines who is responsible for managing incidents and how they will be handled?

Penalties for Non-Conformance:

Non-compliance with the SEC’s new cyber disclosure ruling can result in significant penalties, including:

• Fines and Financial Penalties: The SEC can impose substantial fines on organizations that fail to comply with the disclosure requirements.
• Legal Action: Non-compliance may lead to lawsuits from shareholders or other stakeholders, particularly if a company fails to disclose material risks or incidents, resulting in financial losses.
• Reputational Damage: Failure to comply can severely damage an organization’s reputation, leading to loss of investor confidence and customer trust.
• Increased Regulatory Scrutiny: Organizations that fail to comply may face more frequent audits or investigations, putting additional pressure on their operations.
• Potential Delisting: In extreme cases, continued non-compliance could result in a company being delisted from stock exchanges, particularly if the SEC determines that the failure to disclose material information undermines market integrity.

How Celito Can Help:

At Celito, we have assisted several public life sciences companies in becoming compliant with the SEC’s new ruling by refining their cyber risk management strategies and enhancing their incident response plans. Our approach ensures that organizations are not just meeting regulatory standards but are also positioned to maintain business continuity and protect their reputation.

Ensuring Your Cyber Readiness:

To help your organization answer those critical questions about readiness:

• Develop a Robust Cyber Risk Management Strategy: A well-structured strategy enables your security team to better understand various business units, critical processes, and assets, leading to enhanced visibility and control.
• Integrate Your Incident Response Plan: Align your cybersecurity incident response plan with other business continuity processes, ensuring that it is comprehensive and effective. Clearly define who will manage communication and report incidents, especially on Form 8-K.
• Stress-Test Your Systems: Regular tabletop exercises are key to validating your incident response plan and materiality determination process. These exercises help ensure that your team can maintain operations during an incident and respond effectively.

Conclusion:

With the SEC’s new cyber disclosure ruling now in effect, ensuring your organization is fully prepared is more than just a regulatory requirement—it is essential for protecting your business. Now is the time to assess your cyber risk management strategies, refine your incident response plans, and ensure that your processes for reporting material incidents are seamless.

Do not wait until an incident exposes gaps in your readiness. Take proactive steps today to stress-test your systems and empower your team to respond effectively. Staying ahead of cyber threats is your best defense.