SEC Cyber Regulations

Regulatory Background

The SEC's involvement in cybersecurity dates back to its foundational mission of protecting investors and maintaining market integrity. Key historical developments include:

2011: The SEC issued initial guidance to public companies, emphasizing the importance of disclosing material cybersecurity risks and incidents.

2014: Regulation S-ID (Identity Theft Red Flags Rule) became applicable to certain financial institutions and creditors, requiring them to implement identity theft prevention programs.

2018: The SEC released updated guidance reinforcing the need to accurately disclose cyber incidents and risks, emphasizing board oversight and timely reporting.

Significant SEC Cybersecurity Regulations

Regulation S-P (Privacy of Consumer Financial Information): Requires financial institutions to implement policies for protecting customer data and provide privacy notices.
Regulation S-ID (Identity Theft Red Flags Rule): Mandates certain financial institutions to detect and mitigate identity theft.
Disclosure Guidance (2011 & 2018): Clarifies the need for accurate and timely disclosure of cyber risks and incidents in SEC filings.

Recent SEC Regulatory Developments

Proposed Rules on Cyber Incident Reporting (2022): The proposed rules focus on improving the transparency of cybersecurity disclosures in three main areas: incident reporting, risk management, and governance.

Companies must disclose their policies and procedures for identifying and managing cybersecurity risks in their annual reports (Form 10-K). Disclosures must specifically mention whether the company has a cybersecurity risk assessment program and how cyber risks are integrated into the company’s overall risk management strategy. This step includes detailing the company’s approach to mitigating cyber risks (e.g., business continuity plans, third-party management) and how previous cyber incidents have influenced cybersecurity policies and procedures.

SEC Disclosures Guidance and Requirements

The recently proposed rules require companies to provide detailed disclosures on board oversight of cybersecurity risk and management’s role in implementing cybersecurity policies.

Requirements for Board Oversight include identifying any board members or committees responsible for overseeing cybersecurity risks. Organizations must also provide information on the board’s role in cybersecurity governance and outline the frequency of board discussions on cybersecurity matters.

Disclosures about management include identifying which members are responsible for managing cybersecurity risks and describing management’s role in implementing cybersecurity policies, procedures, and strategies. Organizations must also explain how management assesses and reports cybersecurity risks to the Board.