The SEC's cyber rules have been approved. What's next?
It's been well over a year since the U.S. Securities and Exchange Commission (SEC) proposed new rules for enhanced cybersecurity disclosures, and today those rules were officially adopted.
Designed to keep investors better informed about a public company’s risk management, strategy and governance — and to ensure that investors are notified in a timely fashion of incidents deemed material to the business — the new rules mandate the following:
- A written description of an organization’s processes, if any, for identifying and managing material risks from cybersecurity threats
- Notification within four days of cybersecurity incidents deemed to be material — either on their own or when aggregated with other subsequent and similar cyber incidents
- Public filings and other reporting on what management is doing to implement security procedures and serve in an oversight role
In short, there’s not a minute to waste when it comes to putting cyber preparations into tangible action — and for boards to step up the disclosure and oversight game.
Next steps for boards
The SEC’s final rules will become effective 30 days following publication in the Federal Register. In the meantime, what actions do boards need to take today, as well as further down the road? How can directors increase their cyber-savviness, and what do they need to know for the future?
“Boards, CEOs, and CFOs want to be looking at these disclosures to make certain that they’re accurate and there’s operating processes in place that are really effective around these risk management areas,” Barbara Berlin, managing director of PwC’s Governance Insights Center, said in an episode of Inside America’s Boardrooms.
Under the new rules, disclosures fall into the following buckets: cybersecurity incidents/overall strategy, risk management and governance. The latter covers many things: risk assessment processes, how the company manages risk by detecting threats and protecting information, business continuity and recovery plans — the list goes on.
Not only will directors need to get used to a new level of disclosure, but they will also need to accustom themselves to new processes. For starters, disclosures on strategy, risk management and governance will now be part of a 10K, rather than the proxy statement as many people expected, Berlin said. “I think this is a pretty significant change,” she said.
Another big change: Disclosing cyber incidents in an 8K, which Berlin estimates only 20% of companies do right now.
Boards can strengthen their cyber knowledge and readiness through:
- Bringing in outside experts for board briefings
- Requiring outside cybersecurity courses and credentials for directors
- Examining the existing knowledge base — is there a cyber expert on the board already, and what are their credentials and expertise?
Finally, all directors should have a macro view of the organization’s cyber programs through assessments and frequent communications with top technology leaders. This is necessary for both overseeing cyber risk and considering these risks in business strategy, financial planning and capital allocation processes. For example, does the organization have adequate insurance and planning in the event of a cyber breach? Is the company modeling the range of financial impacts?
Myrna Soto, CEO and founder of Apogee Executive Advisors, emphasized the governance, risk and compliance (GRC) connection at Diligent’s 2022 Modern Governance Summit — the need to understand what’s being disclosed and the “so what?” from a business standpoint.
“Putting it into business terms works magic in the organization,” she said. “Because when you can contextualize it, now you have to go to a line leader or technology leader and say hey, I really need you to work with me on this project and I need you to give me visibility into what you’re doing.”
Next steps for CTOs, CISOs and CIOs
On the management side, what do chief technology, information security, and information officers need to know about the SEC regulations? What must they do to ensure compliance? How can they set themselves up for success in the future?
First of all, given the compressed timeline for disclosing material cyber incidents, CTOs, CISOs, and CIOs need to make sure cyber reporting is plugged into controls and procedures for disclosures, and ensure clarity in terms of elevating cyber incidents. When does an incident qualify for board notification, and who does the notifying?
Does the company have a top leadership role like a Chief Information Security Officer? What are their credentials? Who does this person report to — and is this reporting independent of the overall IT organization, similar to how internal audit typically doesn’t report within an organization’s overall finance operations?
Bob Ackerman, managing director and founder of AllegisCyber Capital, presents a case for making cyber risk part of the auditing process. “The annual audit is based on an understanding of the company’s business, its risks and its controls to mitigate those risks. It’s a simple, logical conclusion that cyber risk — when measured objectively and with scientific rigor — should be included as part of how the industry and regulators measure and analyze systemic risk for every company.”
Finally, CTOs, CISO, and CIOs must do their part in ensuring — and documenting — a comprehensive cybersecurity program. Some next steps to ensure the necessary nuts and bolts include:
- Administering cyber training for all employees
- Evaluating systems through a third-party cyber penetration testing firm, or white and gray hat cyber exercises
- Upgrading security and backup systems as needed
- Supplementing internal cyber monitoring efforts with those of an externally managed services provider
- Continuously monitoring cyber activity in real time and measuring this activity against security tools and controls
“Measuring the effectiveness of a cybersecurity program is still a rather new concept. But cybersecurity isn’t unknowable,” says Ackerman. “Its complexity doesn’t exempt it from measurement. Today there are many more tools and processes to continuously monitor and measure controls compared to just a few years ago.”
Learn more about how Diligent can help prepare your board for enhanced cybersecurity disclosures.