Cyber Risk Now a Top Priority with SEC Proposed Rules on Cybersecurity Risk Management

Introduction

As a cyber security or IT risk professional, it would have been impossible to miss all the buzz around the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” draft rules (Rules) issued by the Securities and Exchange Commission of USA (SEC), early last year. Since then, there has been continuous commentary, analysis and even checklists of the proposed rules and more recently, the SEC has announced further amendments to the rules.

The Rules, which will be applicable to all public/listed companies, are likely to be brought in force in April 2023. It appears that the SEC is no longer satisfied with voluntary disclosures or unsatisfactory adherence to its earlier guidelines on the topic and is now serious about having public companies disclose their approach to cybersecurity risk, strategy and governance. This should not come as a surprise in light of the growing number of attacks on some of the largest companies in the world (listed in USA and under SEC regulations) and the “inadequate & inappropriate responses” provided by some such as Uber and Equifax – both of which adversely affected customers and investors.

However, the main concern, is best expressed by Gary Gensler, the current SEC Chair: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting”.

Paraphrased, the SEC intends to provide investors with more visibility into the cyber risk posture of companies to enable them to make more informed decisions about their investments.   

What are the Main Changes Proposed by the SEC?

In short, the Rules propose two fundamental changes in the way public companies should manage cyber security and IT risks:

• Direct oversight by the Board into cybersecurity governance capabilities of the company, including the review, assessment, and implementation of cybersecurity policies, procedures and its business strategy, risk management, and financial oversight; and 
• Enhanced and stricter guidelines regarding disclosures of, and updates to, “material” cybersecurity incidents”.

The specific requirements of the Rules, to be complied with by public companies, are as follows:

• Disclose the cybersecurity expertise of the board (if any)
• Disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk
• Disclose whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight
• Report “material cybersecurity incidents” to the SEC within 4 days; ("material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock)
• Report non-material incidents that, when combined with other incidents, become material “in the aggregate”
• Provide updates on prior incidents in periodic SEC disclosures
• Provide a description of the company’s cybersecurity risk management system
• Report “material cybersecurity incidents” to the SEC within 4 days; ("material" meaning anything that could impact an individual's decision to buy, hold, or sell a company's stock)
• Report non-material incidents that, when combined with other incidents, become material “in the aggregate”
• Provide updates on prior incidents in periodic SEC disclosures
• Provide a description of the company’s cybersecurity risk management system   
   

Key Inferences from the Draft SEC Cyber Rules

It may be inferred from reading the Rules and the above requirements, that the SEC may be pushing its regulated companies towards achieving cyber resilience, rather than simply enhancing their cyber security and risk posture. Currently however, some of the requirements are open to different forms of interpretation (such as determining threshold for material cybersecurity incidents, the 4-day time limit for disclosures, whether the board committee on cyber risk and governance is sufficient) and these will either be clarified further in the final rules or through court orders.

Another takeaway from the Rules is that while they don’t extend to private companies, but by virtue of being part of the third-party eco-system of public companies, the Rules may in effect, vicariously extend to these private companies. Today it is impossible to implement a comprehensive cyber security, risk, governance program, without including the extended third-party eco-system.

What is undeniable though, is that the Rules will require significant changes in board and management involvement, additional cybersecurity expertise on boards, revised governance structures and upgrades to processes in place. While the final rules are likely to be released in April 2023, here are a few ways companies can start preparing:

• Review and update cybersecurity and risk management programs, policies, processes
• Identify gaps and vulnerabilities in the organization’s cybersecurity approach to mitigate risks before they materialize into an actual cybersecurity event and implement appropriate processes to ensure this is an ongoing activity
• Evaluate the organization’s current cybersecurity reporting structure, including how cybersecurity incident information is relayed to management and the board
• Enhance board member expertise in cyber security and IT risk with plans to appoint domain experts on the Board
• Determine whether the full board or a board committee, will be responsible for oversight of these Rules
• Review and update of incident response plans to factor in for the disclosure requirements and timelines (specifically the 4-day deadline for material incidents) and how they affect the internal operations;
• Add an executive leader to the security team focused on incident response   

A Greater Push Towards Cyber Resilience

Also, important to note is that the SEC Rules are not the only cyber security and risk related legislation to be passed this year. Here are a few more:

• National Cybersecurity Strategy announced by the Biden administration
• Cybersecurity Maturity Model Certification (CMMC) Program by the U.S. Department of Defense
• Amendments to the Federal Acquisition Regulation (FAR)

With the increasing number of cyber regulations and the likelihood that the legislation will be applicable to all, not just public companies, organizations are quickly realizing that they must amp up their resources and budgets to effectively manage the influx of regulations and build cyber resilience. This will include expanding budgets to include investing in technologies to gain visibility into the organization’s cyber risk posture, hiring additional staff, and implementing stronger security measures such as automated monitoring of controls to protect against cyber threats.

Need help getting your programs in shape? Please contact MetricStream for help at info@metricstream.com

Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series. 

Stay Prepared: Know 2023’s Top Cyber Risks

AWS Security Lake and OCSF: A Cyber Risk Perspective

What are IT and Cyber Controls and How to Achieve Control Harmonization?