As of July 2023, the U.S. Securities and Exchange Commission (SEC) has moved to adopt a new cybersecurity rule on risk management, strategy, governance, and incident disclosure by public companies. The new rule requires SEC registrants to disclose material cybersecurity incidents and disclose material information on an annual basis. These new regulations will enforce a new degree of transparency for several facets of organizations.
With the new SEC Cybersecurity Rule, registered organizations must describe the material aspects of the incident's nature, scope, and timing and its material impact or likely impact. Additionally, the SEC rule requires that organizations describe their cyber risk management process, the Board of Directors’ oversight of cyber risks, and management’s role and expertise in assessing and managing cybersecurity threats.
The new SEC rule's two essential themes are transparency and board oversight. Follow along in this blog to understand how the rule impacts cyber risk management in publicly traded organizations.
The SEC requires publicly traded companies to report material cybersecurity incidents, including data breaches, through a Form 8-K within four business days of determining the incident's materiality. The SEC defines "materiality" as any event that a reasonable investor would consider important in making an investment decision. Companies must disclose the nature of the breach, its impact on operations, and any potential financial or legal consequences. In addition to the initial disclosure, companies must provide updates on the breach and its remediation efforts in periodic filings like 10-Qs and 10-Ks. This rule ensures that investors have timely and accurate information regarding cybersecurity risks.
Trust between companies and people has been hit. Following several data breaches in the past few years, people are worried about their privacy. Add new forms of technology like AI into the mix and the misinformation around AI, the problems grow more complicated. The public’s confidence in the ability of companies and governments to keep private information secure has been eroded. As a response, the SEC has taken a new role in promoting transparency and requiring companies to disclose how they manage cybersecurity risk.
In the past, regulatory boards have let organizations develop their own approaches to cybersecurity and self-regulation. This laissez-faire approach led organizations to have varying levels of security and disparate processes that left people unprotected. People want to see what companies are doing to protect information, and investment is an incentivizing lever that the SEC is betting will improve cybersecurity practices across the board.
An important distinction is that the SEC rule does not mandate that boards engage in oversight. The rule requires disclosing the board's leadership, impacting how the investor community perceives the enterprise. Investors want to trust that the boards are exercising oversight. This means that Boards need to have reporting on cyber threats, understand the implications, and demonstrate that they understand the reporting and are asking the right questions. If anything were to go wrong with the organization, the board's judgment would be scrutinized by regulators.
Suppose Board members do not understand the reporting that is brought to them. In that case, it is the responsibility of the Board to ask for that reporting and have it contextualized in business terms. There are several questions the Board should ask of the cyber team; here are a few:
Through these conversations, security professionals often identify a significant amount of data needed to move forward and a lot of data that's heightening the risk they don't need and is not core to strategy.
There’s a normative shift in what we think good business judgment is for the largest companies in the world, and that good judgment includes a good assessment of cyber risks.
While the SEC’s jurisdiction only applies to publicly traded companies, given the interconnectivity of the digital world, the rules will have a domino effect. Enterprises will need to consider the cyber approaches of their vendors and partners. Not only should boards ask about the cyber risks of their own company, but they must also question the cybersecurity of the company’s vendors, partners, and even customers to better manage who they partner with and which vendors they use.
Companies are beginning to send out more intensive vendor questionnaires about their cybersecurity, coming from the top. Vendor questionnaires are becoming more necessary instead of nice to have. Whether the company is part of the education sector or a nonprofit, every organization should look at how to become a data leader regardless of industry.
Even before a breach, it's critical to work with and build relationships with the key stakeholders across finance, legal, and other teams to ensure that when the time comes, CISOs understand what needs to be communicated and discussed with the Board and what is required to be reported regarding the materiality of a specific breach.
Download our guide to reporting on cybersecurity to the Board for a playbook on Board reporting according to the SEC Reporting Requirements.
The SEC rules have introduced a new level of reporting that raises a new level of transparency and forces CISOs and security leaders to collaborate with other organization leaders to ensure they are reporting on the correct information. Conversely, the new rules will push Boards to assess whether they are asking the right questions. Disclose the mandated report to ensure organizations are safe with their investors and customers.
Point solution cannot provide the transparency needed across operations. CyberStrong is an all-in-one cyber risk management platform that delivers automated solutions from cyber risk assessment to executive reporting.
Schedule a demo to learn more about our transparent cyber risk management approach.