Cybersecurity is at the forefront of everyone’s minds lately and rightly so. In July 2023, the Securities and Exchange Commission adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
This rule went into effect for annual reports with fiscal years ending on or after December 15, 2023. There has been some difficulties from a practical perspective on how to implement it, as it includes disclosures of the financial impact, which can be hard to measure immediately.
For example in its December 31, 2023 filing, Microsoft disclosed that it had been subject to an email hack. What is the monetary damage from emails being leaked? In particular if say it includes strategy & business plans going to a hacker and ultimately a competitor or investor? How do we measure the competitive impact of say an ad agency putting in a marketing bid based on such information?
Then of course, on July 19, 2024 the incident involving CrowdStrike users and Microsoft Windows came into play. This is when all of sudden the monetary damages (excluding cybersecurity insurance payments) became a much more real and tangible number.
An article quoted Delta’s CEO saying they have no choice but to sue Crowdstrike (and potentially Microsoft) due to $500M in lost revenue alone. The glitch from that day impacted many major players in other industries / organizations / governments and the amount of damage as well as potential lawsuits is much larger.
It will be extremely interesting to see how Crowdstrike & Microsoft incorporate this disclosure in their next round of financial reporting.
The lesson learned here is that all parties involved in the operations of the company must be aware of what is actually the secondary requirement of Regulation S-K Item 106. Item 106 requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats but also the board of directors oversight of such risks. Stay tuned for Part 2 of this series in which we go into further details of this requirement.