On July 26, 2023, the Securities and Exchange Commission (SEC) took a significant step forward in bolstering cybersecurity transparency for investors. After a meticulous 18-month period of intense debate and discussion, the SEC unveiled its final rules, ushering in a new era of disclosure requirements. These regulations are aimed at ensuring that investors have timely and consistent access to vital information concerning cyber risk within the companies they invest in.
The need for these rules became increasingly evident as cyber threats evolved and expanded in scope and sophistication. Investors sought assurance that the companies they entrusted with their capital were not only aware of these risks but also actively managing them. The culmination of these discussions may not have satisfied everyone's expectations, but it represents a substantial stride towards a more secure and transparent corporate landscape.
With these new regulations now in place, the real work begins for public companies across the United States. The focus lies on providing investors with transparency through formal disclosures submitted via SEC forms.
These disclosures fall into three distinct categories, each with its own unique importance:
1. Cyber Risk Management: Companies will be required to divulge their strategies and processes for monitoring and managing cyber risk. This disclosure aims to provide investors with insight into a company's proactive approach to safeguarding its digital assets and sensitive information.
2. Cyber Risk Governance: This disclosure spotlights the individuals responsible for overseeing cyber risk within the company. It delves into their professional backgrounds, roles, and responsibilities. Investors can gain a clearer understanding of the expertise and diligence guiding cybersecurity efforts.
3. Material Cyber Incidents disclosure (Within Four Business Days): Perhaps one of the most critical aspects of the new rules, this disclosure mandates the reporting of material cyber incidents. Companies are obligated to reveal the nature, scope, timing, and impact of these incidents, applying federal securities law to determine materiality from the perspective of a reasonable investor. This stringent timeline ensures that investors receive critical information promptly, within four business days of determining a material incident.
With these new rules, companies have a lot of work ahead to make sure they're following them. If they don't, they could get in trouble with the SEC and lose the trust of their investors.
In this blog, we'll dive deeper into these SEC rules, breaking down what they mean and what challenges companies might face. We'll also explore how technology can make it easier for companies to follow these rules and keep everyone in the loop. Join us on this journey as we unravel the world of cybersecurity disclosure in our digital age.
When it comes to managing cyber risks, the buck stops with corporate boards. These boards are responsible for determining how much risk a company can tolerate, and then they must allocate the necessary resources to manage that risk effectively.
Now, you might be wondering, with the SEC's new rules, how will companies go about disclosing their cyber risk governance? Well, the SEC hasn't given a strict playbook on what to disclose, so expect some variations in the reports companies submit. However, there are common threads that are likely to run through these disclosures.
Key Responsibilities and Mechanisms
Companies will typically enumerate the key responsibilities and mechanisms related to cyber risk governance in their disclosures. This includes detailing how their corporate boards, specific board-level committees tasked with overseeing cyber risk, and executive and management-level committees are structured and what their roles are in managing cyber risks.
Transparency in Reporting: Transparency is the name of the game when it comes to reporting on cyber risk. Companies must be clear about the type and amount of reporting they provide concerning cyber risk. This involves three primary areas:
1. Reporting to the Board: This information will usually be a combination of insights from board committees and executive management. It's all about keeping the board in the loop about what's happening in terms of cyber risks.
2. Reporting to Board Committees: Executive management will step up here, providing the board committees with key insights into trends, exceptions, and changes in the risk landscape or cybersecurity posture. This helps board committees assess the evolving threat landscape.
3. Reporting to the Executive Committee: This reporting involves a cross-functional leadership team that spans various areas within the organization. It typically includes representatives from security, technology, business operations, legal, and risk departments. This diverse group ensures a comprehensive understanding of cyber risks and their potential impacts.
These disclosures play a crucial role in keeping all stakeholders informed about the company's cybersecurity strategies and readiness.
Risk Tolerance
Understanding and defining a company's risk tolerance is paramount. This responsibility primarily falls on the shoulders of the board of directors, as they are tasked with setting the acceptable level of cyber risk for the entire enterprise. While input and suggestions from board committees and management are valuable, the ultimate accountability rests with the board itself. After all, they are the ones who make these critical determinations and subsequently provide the necessary guidance and resources.
Risk Measurement and the Need for Quantification
Equally important is the task of risk measurement, and now, more than ever, the call for risk quantification is resounding. To effectively manage cyber risks, a company must possess a clear and universally understood methodology for quantifying these risks. Some organizations employ cybersecurity maturity as a benchmark for assessing cyber risk, while others take a more advanced approach, utilizing probabilistic models to estimate cyber risk in financial terms. Regardless of the chosen method, the essence lies in having a precise and agreed-upon definition that both the board and management can endorse and act upon.
Resilience Management
With the rising likelihood of adverse cyber incidents, it's imperative that cybersecurity strategies incorporate resilience management. Companies should establish and test recovery and contingency plans to enhance their ability to bounce back quickly in the event of an incident. The goal is to minimize disruptions to normal operations while ensuring a swift recovery.
Cybersecurity Strategies and Insurance
Every company must have a robust cybersecurity strategy in place. Many organizations adopt industry-standard frameworks like NIST (National Institute of Standards and Technology) when crafting their cybersecurity strategies. This approach simplifies the process of detailing these strategies in SEC disclosures. Furthermore, using common terminology ensures precise communication within the organization and with key stakeholders, including vendors, regulators, and auditors.
However, even the most prepared companies can face cyber incidents. This is where cyber insurance comes into play. Some companies view cyber insurance solely as a means to shift potential financial uncertainty to a third party. Still, it also serves as a valuable support system during crises. Companies should conduct thorough research to find cyber insurance providers and plans that align with their specific needs and budgets. A well-chosen cyber insurance plan can provide critical assistance in times of need.
While cyber events may eventually escalate into cyber incidents, determining what qualifies as a "material incident" isn't always crystal clear. That's why it's essential for each company to establish a shared and precise definition of what constitutes a "material" incident within their organization, involving both the board and management.
Given the urgency of disclosing material incidents promptly, there are several crucial aspects that company stakeholders should take into consideration:
1. Incident Classification: The board and executive leadership should adopt a well-defined methodology for classifying cyber incidents, particularly those that may ultimately be labeled as material. Having a clear system in place ensures everyone understands how to categorize and prioritize incidents.
2. Incident Response: A structured and efficient process for managing the resolution and recovery of material incidents is crucial. The board and executive leadership need to have a well-prepared strategy in place to address the incident promptly and effectively.
3. Crisis Response Plans: In preparation for material incidents, the board and executive leadership should establish predefined roles and crisis response plans. These plans should include templates for communication, updated contact information for company personnel, details of key third-party contacts, and information for law enforcement if necessary.
4. Regular Testing: Efficient execution and coordination are vital for the rapid identification and disclosure of material incidents. To ensure that everyone understands their roles and responsibilities, routine drills should be conducted. After-action reviews following these drills help identify areas that require improvement, allowing for continual enhancement of the incident response process.
By proactively addressing these areas, companies can not only navigate the complexities of cyber incident disclosures more effectively but also minimize the potential impact of material incidents on their operations and reputation.
Many companies find themselves unprepared to meet the demands of these new SEC rules. The looming deadline in December 2023 leaves them with a very short window to make the necessary adjustments—a challenging task given the extensive work required for compliance. For stakeholders in public companies, procrastination is no longer an option. It's imperative to kickstart the preparations now, understanding that these changes are substantial and can't be rushed. This timeline is even more pressing for those currently lacking the capabilities to meet the SEC's disclosure requirements.
Begin by evaluating your company's existing capabilities and quickly implementing the necessary improvements. Keep in mind that the planning phase will consume more time than expected, and you may need to refine your strategies through multiple iterations. This is the perfect opportunity to explore the integration of a Cyber Risk Automation platform into your cybersecurity and risk management processes. Such a platform can significantly streamline and automate various tasks, making compliance with the new SEC rules both more efficient and effective. So, seize the moment, embrace automation, and proactively prepare for the transformative changes ahead.
References:
1. [SEC's New Cybersecurity Disclosure Rules](https://www.sec.gov/news/press-release/2021-183)
