Skip to content
Corporate Tax Departments

What corporate tax departments need to know about the SEC’s required reporting of cyber incidents

Nadya Britton  Enterprise Content Manager for Tax and Accounting at Thomson Reuters Institute

· 5 minute read

Nadya Britton  Enterprise Content Manager for Tax and Accounting at Thomson Reuters Institute

· 5 minute read

As US regulators make new reporting requirements around cybersecurity incidents, corporate tax departments can play a big role in ensuring compliance with these disclosures

There is no facet of life that doesn’t have a digital presence both personal and professional — from banking to medical care to simple sharing of photos, jokes, and recipes via social media, our information always is moving across the internet. And that makes the need for digital security most critical, as we seek to protect the online identity, data, and virtual assets of businesses and individuals.

To that end, the U.S. Securities and Exchange Commission (SEC) has introduced new reporting requirements for companies to disclose any cyber incidents that may occur. These requirements have significant implications for corporate tax departments, which handle sensitive financial data and are crucial to maintaining the fiscal integrity of any organization. Tax function leaders need to be aware of what these new requirements entail and how their departments can effectively prepare and comply.

Earlier this year, the SEC adopted rules requiring US issuers to disclose cyber incidents they have experienced along with annually disclosing material information on their cybersecurity risk management, strategy, and governance. (Foreign private issuers under SEC oversight will need to make similar disclosures.) The SEC noted that this move underscores its commitment to transparency and investor protection in the digital age. For corporate tax departments, these requirements mean a heightened responsibility to safeguard financial data and disclose any breaches that may have material implications.

Not surprisingly, cyber-attacks continue to rise. More than 80% of organizations experienced more than one data breach in 2022, according to the 2023 IBM Data Breach report. Indeed, the impact of cyber incidents can be costly — the global average cost of a data breach in 2023 pegged at $4.45 million, and the total number of ransomware attacks rose by 13% over the last five years. And the cost of cyber incidents can go beyond financial — businesses can face their customers’ loss of confidence in the company, which could result in lost business and a compromised reputation.

The role of tax departments

Corporate tax departments are one of the few departments in a company that touches every part of the business, utilizing data from all aspects of the company and basing their financial reporting on this data. Now, tax departments must factor in the risk of cyber incidents into their financial reporting processes. Incidents, which by the way, can compromise the accuracy and integrity of their financial data and directly impact tax reporting and disclosures.

In the Thomson Reuters Institute’s recent 2023 State of the Corporate Tax Department, 80% of corporate tax survey respondents said their departments have half or less of their work automated. Also, those respondents that said their departments felt under-resourced received more frequent and higher tax penalties compared to those respondents who felt their departments were sufficiently resourced. Given the sensitive nature of the data they handle, tax departments must be vigilant about data privacy and security.

Understanding the new SEC regulations and what it means for their company is crucial for tax departments to avoid these risks. As departments do their work, they must understand in advance what the potential risks are for their department. That means that risk assessment and management are key.

Corporate tax survey respondents said their departments have half or less of their work automated. Yet, given the sensitive nature of the data they handle, tax departments must be vigilant about data privacy and security.

By reviewing and understanding the SEC regulations and making sure their own procedures adhere to the SEC reporting guideline is essential, including establishing clear procedures for detecting, reporting, and responding to cyber incidents. Effective communication and collaboration with their companies’ IT and cybersecurity teams also are critical. This partnership ensures that tax-related data is adequately protected against an increasing number of cyber-threats.

And by working closely with IT, tax departments can beef-up their own security measures and ensuring that the department has and is using protective steps like encryption when dealing with sensitive documents and data. Indeed, leaders need to consider establishing multi-factor authentication and more importantly, making sure staff is adhering to regularly updating the system’s software.

Whenever possible, such security measures should be incorporated into the workflow or done through formally scheduled security audits. These are critical steps for department leaders to begin being able to predict where their vulnerabilities may lie in how the team works, especially as it handles a tremendous amount of critical data. In this case, prevention is better than a cure — a joint study conducted by Stanford University and a security firm found that more than 80% of data breaches are caused by employee mistakes. Continuously educating staff about cybersecurity best practices and the importance of reporting irregularities can significantly reduce the risk of such breaches.

The new SEC reporting requirements on cyber incidents underscore the increasing intersection between cybersecurity and financial reporting. Corporate tax departments, as custodians of critical financial data, must take proactive steps to align their operations with these requirements. By enhancing cybersecurity measures, revising policies, and fostering a culture of compliance and awareness, tax departments can not only comply with these new regulations but also fortify their defenses against the ever-evolving landscape of cyber-threats.

More insights