On July 26, the Securities and Exchange Commission voted to adopt rules to increase transparency with investors around cyber risk management and incident reporting. While this has been on the radar for many public companies for a long time, codifying these rules marks a fundamental shift and another step toward reporting cybersecurity to the Board. There has been a great deal of speculation around the new rules, so CyberSaint put together a quick guide on what security leaders and practitioners need to know about the rules and measures to implement to improve their risk management in cyber security.
Breaking Down the New SEC Cybersecurity Rules
What are the Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure?
- The SEC has adopted new rules to standardize and enhance public companies' disclosures regarding cybersecurity risk management, strategy, governance, and incidents.
- The amendments require current disclosure about material cybersecurity incidents.
- The rules also require periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks.
What Must Companies Disclose Processes to Assess, Identify, and Manage Material Cybersecurity Risks?
- Companies must disclose their processes for assessing, identifying, and managing material cybersecurity risks and whether such risks have or are likely to significantly impact their business strategy, operations, or financial condition.
- The disclosure should be comprehensive enough for a reasonable investor to understand the processes, including how they are integrated into the overall risk management system and the role of third parties, if any.
- Companies must also disclose if any risks from cybersecurity threats, including past incidents, have materially affected or are likely to materially affect the company's business strategy, operations, or financial condition.
- The rules do not dictate cybersecurity policy but expect companies to tailor their cybersecurity processes to perceived threats.
- While the rules do not prescribe specific risk types, they acknowledge that risks may include intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, litigation and legal risk, and reputational risk.
Why are the Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Important?
- Investor Protection: The rules aim to protect investors by providing timely and decision-useful information about a company's material cybersecurity incidents and risk management strategies. This information allows investors to make informed decisions based on risk tolerance and investment objectives.
- Standardization: The rules standardize cybersecurity risk management, strategy, and governance disclosure across companies. Standardization makes it easier for investors to compare companies and make informed decisions.
- Reflecting the Importance of Cybersecurity: The rules reflect the growing importance of cybersecurity in today's digital world. With the increasing prevalence of cyber threats, companies must have robust cybersecurity risk management strategies in place and for investors to be aware of these strategies.
- Promoting Transparency: The rules encourage transparency and accountability by requiring companies to disclose material cybersecurity incidents and risk management strategies
What is the Goal of the Rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure?
- The new SEC reporting requirement aims to provide investors with timely, practical information about material cybersecurity incidents and standardized information about companies' cybersecurity risk management, strategy, and governance. The goal is to enable informed investment and voting decisions, reflecting the growing importance of cybersecurity. The regulation does not prescribe cybersecurity policy but is deemed necessary for investor protection and public interest, aligning with constitutional principles and promoting efficiency, competition, and capital formation.
Key Factors Security Leaders Should Consider
- Materiality: Understand what constitutes a "material" cybersecurity risk or incident within the context of your organization. This understanding will involve a comprehensive understanding of your business operations, financial condition, and the potential impact of cybersecurity incidents on your business.
- Download our guide to understanding materiality for SEC disclosures.
- Disclosure Processes: Establish clear processes for assessing, identifying, and managing material cybersecurity risks. This includes integrating these processes into your overall risk management system, engaging third parties for assessments or audits if necessary, and overseeing risks associated with third-party service providers.
- Incident Reporting: Develop a robust incident response plan that includes timely reporting of material cybersecurity incidents. The new rules require disclosure about material cybersecurity incidents within four business days.
- Board Oversight: The Board of Directors' oversight of cybersecurity risks is a crucial part of the new rules. Security leaders should ensure that the board is adequately informed about the company's cybersecurity risks and the steps management is taking to manage those risks.
- Regulatory Compliance: Ensure compliance with the new rules, including the requirement to present cybersecurity disclosures in Inline XBRL (eXtensible Business Reporting Language). This may require technical adjustments and additional training for your team.
- Investor Communication: Consider how the new rules will impact your communication with investors. These rules aim to provide investors with meaningful, decision-useful information about a company's cybersecurity risks and incidents.
- Legal Consultation: Given the legal implications of these rules, it would be prudent to consult with legal counsel to ensure that your company's disclosures comply with the new rules.
- Continuous Review and Improvement: Cybersecurity is dynamic, with new threats emerging regularly. Security leaders should ensure that their cybersecurity risk management strategies and processes are periodically reviewed and updated to address these evolving threats.
How Can Companies Ensure Their Disclosures Are Comprehensive Enough For Reasonable Investors To Understand?
- Clarity and Simplicity: Disclosures should be written in clear, simple language that a non-technical audience can easily understand. Avoid jargon and technical terms as much as possible, or provide clear explanations if they must be used.
- Materiality: Disclosures should focus on material cybersecurity risks and incidents. Materiality is determined by whether a reasonable investor would consider the information important in making an investment decision.
- Detail and Context: Provide enough detail and context for investors to understand the nature, scope, and potential impact of the disclosed cybersecurity risks and incidents. This includes describing the company's processes for assessing, identifying, and managing cybersecurity risks and how these processes are integrated into the company's overall risk management system.
- Board Oversight and Management's Role: Describe the role of the Board of Directors in overseeing the company's cybersecurity risks and the role of management in assessing and managing these risks. This can provide investors with insight into the company's governance structure and its approach to cybersecurity risk management.
- Use of Third Parties: If the company uses third parties (e.g., assessors, consultants, auditors) in connection with its cybersecurity risk management processes, this should be disclosed. This can provide investors with additional assurance about the robustness of the company's cybersecurity risk management processes.
- Past Incidents and Lessons Learned: If the company has experienced past cybersecurity incidents, it should disclose these incidents and describe how it has responded and what lessons it has learned. This can provide investors insight into the company's ability to respond to cybersecurity incidents and its commitment to continuous improvement.
- Compliance with the Rules: Finally, companies should ensure that their disclosures comply with the new SEC rules, including the requirement to present disclosures in Inline XBRL format. This may require technical adjustments and additional training for the team preparing the disclosures.
Expect more from CyberSaint in the coming weeks about how to prepare for the new rules - be sure to subscribe to the CyberSaint blog.