SEC Compliance Requirements: Why Your Risk Appetite Matters

The SEC is getting serious about cybersecurity. Recent regulations and high-profile cases signal a new era of accountability for publicly listed companies. But how do you prepare? How do you protect your business and stay on the right side of the regulations? The key lies in understanding and defining your cybersecurity risk appetite.

SEC Compliance Requirements Highlights

The SEC Cyber Rules focus on ensuring companies monitor and disclose material cybersecurity incidents. Here's what you need to know:

• Disclosure Deadlines: Started end of 2023
  
  
• Key takeaway: Monitor and disclose material cybersecurity incidents. The SEC wants to ensure that investors have sufficient information to make informed decisions.
  
  
• Forms to watch:
  
  
  • 10-K: Annual filing detailing your overall cybersecurity program, maturity, controls, and board oversight.
    
    
  • 8-K: More detailed, incident-specific disclosures required within a specific timeframe after a material incident. Disclose the exposure in terms of the number of records impacted, and what's the impact for your forward-looking revenue, and so on, so forth.
    
    
• Starting 2025: Every publicly listed company needs the basic infrastructure to disclose incidents and their overall cyber posture.
  
  
• Why this matters: The SEC is scrutinizing cybersecurity disclosures, pushing companies to be more transparent about their risks and preparedness. High-profile cases like the SolarWinds incident, where the Chief Information Security Officer (CISO) was called to testify, highlight the importance of accountability.

Download CyberSaint’s guide to reporting cybersecurity to the board based on the SEC rules here.

Three Pillars of SEC Compliance Requirements

The SEC's rule is structured around three core capabilities:

1. Incident Reporting: The tactical aspect of identifying, responding to, and disclosing cyber incidents.
   
   
2. Cyber Risk Management and Strategy: The operational component, involving good cyber hygiene, program budgeting, and aligning cybersecurity with business strategy. This includes determining materiality, establishing data breach response capabilities, and communicating effectively with stakeholders.
   
   
3. Cyber Governance: The strategic level, focusing on board-level oversight, communication, and accountability. This includes defining and approving the company's risk appetite.
   
   

The Core: Defining Your Cybersecurity Risk Appetite

Cyber risk appetite is the fundamental problem you should solve to meet all the future regulatory obligations.

• What is Risk Appetite? It's the level of risk a company is willing to accept in pursuit of its strategic objectives.
  
  
• Risk Appetite vs. Risk Capacity: Risk capacity is the maximum risk an organization can absorb and remain solvent. Risk appetite is a smaller, more practical bubble within that capacity, representing the level of risk the company is comfortable taking. Without risk, there's no opportunity, so it's important to make informed decisions.
  
  
• Why it matters: A clearly defined risk appetite provides guardrails for leaders in their day-to-day decisions. It informs materiality assessments and provides a framework for measuring the effectiveness of your cybersecurity program.
  
  

Who Owns the Risk Appetite?

The Board of Directors should ultimately own the risk appetite. While management might be incentivized to take on more risk, the board has a fiduciary duty to act in the best interests of all stakeholders and define what level of risk is acceptable.

Implementing a Risk Appetite Program

1. Cascade from the Top: The risk appetite needs to align with strategic goals, company values, and business drivers.
   
   
2. Monitor and Measure: Establish tolerance levels and risk targets for business units. This should be integrated into policies and procedures. It is very much the same as any other strategic goal a CEO would cascade down, like what you would call a balanced scorecard
   
   
3. Balance Business Objectives and Risk: Every decision should consider both the potential rewards and the associated risks. A strong enterprise risk management (ERM) function is crucial for challenging business decisions and providing a balanced perspective.
   
   
4. Materiality: With a defined risk appetite, determining what constitutes a material incident becomes much clearer.
   
   

Formulating a Risk Appetite Statement

• Example: "Less than 5% probability in the next 12 months of a disclosure of 1 million PII records."
  
  
• Key criteria:
  
  
  • Realistic
    
    
  • Quantifiable
    
    
  • Time-bound
    
    
  • Agreed upon across units and functions
    
    
  • Unambiguous

Engage the Board

Cybersecurity is no longer just an IT issue; it's a core business risk that demands board-level attention. The SEC is making it clear that boards have a fiduciary duty to oversee cybersecurity risks and ensure that companies are adequately prepared to protect themselves and their stakeholders. Actively engaging the board is crucial for establishing a strong cybersecurity posture and meeting regulatory expectations.

Key Actions for Board Engagement:

• Cybersecurity Education: Ensure board members understand the evolving cybersecurity landscape, the potential impact of cyberattacks on the business, and their responsibilities in overseeing cybersecurity risks. Regular briefings and training sessions can help bridge the knowledge gap.
  
  
• Direct Access to Security Leadership: Establish direct lines of communication between the board and key security leaders, such as the CISO and CIO. This allows the board to receive unfiltered information about the company's security posture and potential threats. Avoid relying solely on the CEO as an intermediary. Learn more about the CISO reporting structure here.
  
  
• Regular Cybersecurity Reporting: Implement a regular reporting cadence that provides the board with clear, concise, and relevant information about the company's cybersecurity program, risk profile, and incident response capabilities. This reporting should include metrics that track progress against the defined risk appetite.
  
  
• Board Approval of Risk Appetite: The board must ultimately own and approve the company's cybersecurity risk appetite. This demonstrates a commitment to cybersecurity at the highest level and provides a clear framework for decision-making.
  
  
• Due Diligence and Due Care: Board members must demonstrate due diligence and due care in overseeing cybersecurity risks. This means actively seeking information, asking probing questions, and challenging management's assumptions.
  
  
• Independent Assessments: Consider engaging independent cybersecurity experts to conduct periodic assessments of the company's security posture and provide an objective perspective to the board.
  
  
• Cybersecurity Expertise on the Board: Consider adding a board member with specific cybersecurity expertise to bring a deeper understanding of the issues and provide informed guidance.
  
  
• Focus on Reasonable Action: The board should focus on ensuring that management takes reasonable steps to protect the company from cyber threats. This means implementing appropriate security controls, training employees, and developing a robust incident response plan.
  
  
• Scenario Planning and Tabletop Exercises: Conduct regular scenario planning and tabletop exercises to simulate cyberattacks and test the board's and management's ability to respond effectively.
  
  
• Understanding the Legal and Regulatory Landscape: Ensure the board is aware of the relevant cybersecurity laws and regulations, including the SEC's requirements, and how they impact the company's obligations.
  
  

SEC Compliance: Cybersecurity as a Strategic Imperative

The SEC's cybersecurity rules are here to stay; they represent a fundamental shift in how businesses must approach cyber risk management. Proactively defining your risk appetite is no longer just a compliance exercise, it's a strategic imperative that will strengthen your cybersecurity posture, protect your business value, and foster greater trust with investors and stakeholders.

Key Takeaways:

• Compliance is Coming: Starting in 2025, every publicly listed company needs a basic infrastructure for incident disclosure and understanding their overall cyber posture. This isn't optional.
  
  
• Risk Appetite is Your Foundation: Define your risk appetite clearly, realistically, and quantifiably. It is the foundation for all future regulatory obligations.
  
  
• Engage the Board: The board must own the risk appetite. Ensure they are informed of the cyber risk posture and have access to regular cyber risk reporting
  
  
• Focus on Materiality: A well-defined risk appetite makes determining what constitutes a material incident far easier.
  
  
• Training is Essential: Ensure your teams understand the risk appetite and how it applies to their day-to-day decisions. Integrate it into standards, procedures, and training programs.
  
  
• Quantification Matters: Strive to quantify cybersecurity risks to provide a basis for prioritization and decision-making.
  
  
• Embrace the "Two Sides of the Coin": Every business decision should consider both the potential rewards and the associated risks. Foster a culture where this is the norm.

By taking these steps, you'll not only be better prepared to meet the SEC's requirements, but you'll also build a more resilient and secure organization that's well-positioned for long-term success. Don't wait until the next incident to start thinking about your risk appetite. Start the conversation now.

Learn more about cyber risk quantification to determine materiality and your organization’s risk appetite here.