The SEC Proposes New Cybersecurity Standards
In March 2022, the SEC (Securities and Exchange Commission) released the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure proposal. These guidelines are built on the foundation of previously issued 2018 guidelines, which in turn expand on the 2011 guidelines. This is the first time the SEC specified detailed directives regarding the cybersecurity management it expects from advisers and funds.
The SEC notes that although cyber security management in registrant companies has drastically improved since 2018, disclosures are still a weak point. Even when incidents have been publicized, the SEC often observes a lack of timeliness, transparency, and consistency. The SEC’s goal is “to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely and accurate notification of material cybersecurity incidents.”
The proposal focuses on 4 areas:
- Disclosure of cyber security incidents
- Periodic updates of previously reported incidents
- Risk management strategy disclosure
- Reporting of board-level cyber security oversight
Disclosure of cyber security incidents
The first section of the proposal requires a company to notify stakeholders and the SEC of a material cyber incident within four days of determination as a material event. The SEC encapsulates the definition of a material incident in that “there is a substantial likelihood that a reasonable shareholder would consider it important.” Notably, the 4-hour rule commences from the determination of an incident as a “material’ incident, and not from the time of the actual attack or breach.
The 96-hour deadline to report an incident is an incredibly tight timeframe that would challenge cyber-mature organizations, and overwhelm smaller companies with less developed cyber posture. Impacted organizations would need to get a forensics team on the job around the clock to perform a materiality analysis in record time, and disclose it within 96 hours. This is all in addition to responding to the actual breach or threat which has occurred.
Incident disclosures would be reported on Form 8-K. Form 8-K, also referred to as a “current report” is a form that is filed by public companies to notify the SEC and shareholders when an unanticipated corporate event took place. As proposed, disclosures would include:
- When the event was discovered and whether it is still in progress
- A brief description of events
- Whether any data was subject to theft, access, or unauthorized use
- Effects of the event on operations
- Whether the registrant remediated the incident or is in the process of remediation
Periodic Updates of Previously Reported Incidents
After the initial disclosure, the proposal requires quarterly and annual reporting on any material changes or additions to cybersecurity status through the registrant’s annual form 10-Ks and quarterly form 10-Qs. Also included in periodic disclosure guidelines is the requirement to publicize “a series of previously undisclosed immaterial cybersecurity incidents (that has) become material in the aggregate.” For example, if immaterial attacks are carried out by an attacker continuously over time against a company, they may qualify eventually as a material incident.
Risk Management Strategy Disclosure
The Sec’s new proposal would amend Form 10-K to require registrants to disclose policies and procedures that “identify and manage cybersecurity risks and threats”. The rules include a non-exclusive list of policies that may require disclosure such as whether:
- the registrant has implemented a cyber risk assessment program
- the registrant engages third parties in regards to a cybersecurity risk assessment program
- the registrant has oversight procedures to identify the cybersecurity risks associated with any third-party provider
- the registrant responsibly acts to prevent, detect, and mitigate the impact of attacks
- business continuity plans and recovery plans are in place in the event of an incident
- previous incidents have generated healthier practices in the registrant’s GCR policies
- How likely Risk factors will affect the registrant’s operational and financial resilience
- cybersecurity risks are considered in the planning of governance policies and business strategies.
Board Level Oversight
The new SEC cybersecurity disclosure requirements emphasize board management of cybersecurity strategies and procedures. This emphasis is a new and critical concept in today’s corporate governance, as cyber incidents have shown strong upward trends in frequency and impact. Gartner predicts that by 2025, 40% of boards will have dedicated cybersecurity teams with direct oversight from the board, up from less than 10% today. Board expertise in cybersecurity demonstrates that cybersecurity is a basic corporate requirement that is driven from the governance level down to the IT department- and not the reverse.
Under the SEC cybersecurity disclosure requirements, registrants would provide disclosures about the oversight of cybersecurity risk by the company’s board of directors. Disclosure would include:
- whether the corporate board has oversight of cybersecurity risks
- the frequency of cybersecurity planning and the procedures by which the board is updated on new risk factors
- to what extent cybersecurity is included in core business strategies
- whether the board has designated a CISO or other board member with expertise in cybersecurity matters
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Comments, Please
The SEC welcomed comments on the new proposal for 60 days following its release. Submitted comments raised several valid concerns with regard to the SEC cybersecurity guidance proposal. For example:
- The proposal does not allow exceptions to the 4-day rule, even in the case that law enforcement considers the disclosure detrimental to an investigation of the incident. For example, if delaying disclosure about an incident could arguably increase the chances of recovery of stolen funds or the detection of the wrongdoers in the expert opinion of law enforcement agencies, wouldn’t temporary relief from disclosure requirements protect investors’ interest?
- Included in the category of a material incident is an occurrence “that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems…” This means that the requirement is contingent on a “possibility” of an occurrence, even if an incident hasn’t happened. Such inconclusive information is not thought to be so valuable to stakeholders as to require aggressive action.
- With such a strong emphasis on speed to perform the material analysis and subsequent disclosure, hasty decision-making will arguably lessen the quality and accuracy of the material assessment and disclosure.
- Regarding immaterial events that aggregate over time, there seems to be a requirement to perpetually quantify and aggregate the impact of small incidents over undefined fiscal periods. This information is unlikely to prove meaningful to investors and stakeholders.
- When proposing that a board member should ideally have expertise in the field of cybersecurity, will pressure registrants to appoint a technical cybersecurity expert to the board, regardless of whether this is the best candidate for the position.
- While dressed as disclosure rules, the stiff requirements on corporate management seem to cross the line of the SEC’s power as “an unprecedented micromanagement by the Commission of the composition and functioning of both the boards of directors and management of public companies.”
Impact of the SEC Proposal
Rapid incident disclosure has caught public attention as a dramatic cybersecurity requirement. The last section of the proposal, with new requirements regarding the board’s role in governance and risk management, may seem less notable. On closer review, though, the proposals publicized in the last section can have a powerful impact on the cyber world in years to come. Board oversight will bring cybersecurity to the forefront of business continuity and operational resilience planning. Security teams will not have the responsibility to convince board members of risk factors and security policies. Instead, governance policies with an emphasis on cybersecurity will trickle down from corporate leadership to all components of the enterprise.
As cybersecurity is brought to the top of corporate management, companies will require agile tools that help streamline their risk management and cybersecurity procedures. The right automated solution can help your company ace new reporting and compliance requirements with greater efficiency. Centraleyes has developed a scalable platform that evolves with the digital world. With a fantastic “Board View” feature, visual metrics and data-driven insights can help executives make informed decisions, translating technical risk into business risk. Use the reporting tools to produce accurate reports to better inform investors about risk management, governance, and compliance strategies.
Call us to see how Centraleyes can improve your cybersecurity posture and keep your risk management in shape.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days