As of July 2023, the U.S. Securities and Exchange Commission (SEC) has moved to adopt a new cybersecurity rule on risk management, strategy, governance, and incident disclosure by public companies. The new rule requires SEC registrants to disclose material cybersecurity incidents and disclose material information on an annual basis. These new regulations will enforce a new degree of transparency for several facets of organizations.
With the new SEC Cyber Reporting Requirements, registered organizations must describe the material aspects of the incident's nature, scope, and timing and its material impact or likely impact. Additionally, the SEC rule requires that organizations describe their cyber risk management process and the Board of Directors’ oversight of cyber risks and management’s role and expertise in assessing and managing cybersecurity threats.
Transparency and Board oversight are two essential themes of the new SEC rule. Follow along in this blog to understand how the new SEC rule impacts cyber risk management in publicly traded organizations.
Increased Transparency in Cyber Risk Management
Trust between companies and people has been hit. Following several data breaches in the past few years, people are worried about their privacy. Add new forms of technology like AI into the mix, and the misinformation around AI, the problems grow more complicated. The public’s confidence in the ability of companies and governments to keep private information secure has been eroded. As a response, the SEC has taken a new role in promoting transparency and requiring companies to disclose how they manage cybersecurity risk.
In the past, regulatory boards have let organizations develop their own approaches to cybersecurity and self-regulation. This laissez-faire approach led organizations to have varying levels of security and disparate processes that left people unprotected. People want to see what companies are doing to protect information, and investment is an incentivizing lever that the SEC is betting will improve cybersecurity practices across the board.
The SEC Requires New Board Oversight
An important distinction is that the SEC rule does not mandate that boards engage in oversight. The rule requires disclosing the board's leadership, impacting how the investor community perceives the enterprise. Investors want to trust that the boards are exercising oversight. This means that Boards need to have reporting on cyber threats, understand the implications, and demonstrate that they understand the reporting and are asking the right questions. If anything were to go wrong with the organization, the board's judgment would be scrutinized by regulators.
Suppose Board members do not understand the reporting that is brought to them. In that case, it is the responsibility of the Board to ask for that reporting and have it contextualized in business terms. There are several questions the Board should ask of the cyber team; here are a few:
- Regarding the threat landscape, what are security professionals reporting to the Board? And how does that relate to the strategic plan of the organization?
- What is the relationship between the management team's efforts to combat threats?
- Are we combating threats on our most critical business tools? Or are we fighting threads on data that we may not need anymore?
- What data is critical to the organization and is needed to implement short-term and long-term strategic plans?
- Provide the correlation between the critical data needed to advance the enterprise and the data we currently can access.
Through these conversations, security professionals often identify a significant amount of data needed to move forward and a lot of data that's heightening the risk they don't need and is not core to strategy.
There’s a normative shift in what we think good business judgment is for the largest companies in the world, and that good judgment includes a good assessment of cyber risks.
The SEC’s Impact on Other Business Ecosystems
While the SEC’s jurisdiction only applies to publicly traded companies, given the interconnectivity of the digital world, the rules will have a domino effect. Enterprises will need to consider the cyber approaches of their vendors and partners. Not only should Boards ask about the cyber risks of their own company, but they must question the cybersecurity of the company’s vendors, partners, and even customers to manage better who they partner with and which vendors they use.
Companies are beginning to send out more intensive vendor questionnaires about their cybersecurity, coming from the top. Vendor questionnaires are becoming more necessary instead of nice to have. Whether the company is part of the education sector or a nonprofit, every organization should look at how to become a data leader regardless of industry.
Moving Forward with Mandatory Disclosure
Regarding leadership and Boards, what is going to be required to be reported on is the board's oversight of risk from cybersecurity threats. They must disclose if they have a reporting process, and if they have a separate committee on cyber, then that is also encouraged to be disclosed. There's also a requirement to describe how the board stays informed of cyber threats. In addition, management's role in assessing and managing material risks from cybersecurity will now need to be disclosed. And all of these disclosures need to happen in the annual report. This will be uniformly mandated and implemented across the board starting the next fiscal year.
For CISOs, the new rule means they must work with different leaders within the organization to meet the reporting requirements. CISOs may need to work with the General Counsel, CFO, government affairs, and other C-suite teams to ensure that they report on the correct information required to make informed decisions and that they're meeting the requirements of the disclosure rules.
Even before a breach, it's critical to work with and build relationships with the key stakeholders across finance, legal, and other teams to ensure that when the time comes, CISOs understand what needs to be communicated and discussed with the Board and what is required to report in terms of the materiality of a specific breach.
The Effect of the SEC Rules
The SEC rules have introduced a new level of reporting that raises a new level of transparency and forces CISOs and security leaders to collaborate with other organization leaders to ensure they are reporting on the correct information. Conversely, the new rules will push Boards to assess whether they are asking the right questions. It is essential to disclose the mandated report to ensure organizations are safe with their investors and customers.
Point solution cannot provide the transparency needed across operations. CyberStrong is an all-in-one cyber risk management platform that delivers automated solutions from cyber risk assessment to executive reporting. Register for our webinar on the SEC cybersecurity rule.
Schedule a demo to learn more about our transparent cyber risk management approach.