As a cyber security or IT risk professional, it would have been impossible to miss all the buzz around the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” draft rules (Rules) issued by the Securities and Exchange Commission of USA (SEC), early last year. Since then, there has been continuous commentary, analysis and even checklists of the proposed rules and more recently, the SEC has announced further amendments to the rules.
The Rules, which will be applicable to all public/listed companies, are likely to be brought in force in April 2023. It appears that the SEC is no longer satisfied with voluntary disclosures or unsatisfactory adherence to its earlier guidelines on the topic and is now serious about having public companies disclose their approach to cybersecurity risk, strategy and governance. This should not come as a surprise in light of the growing number of attacks on some of the largest companies in the world (listed in USA and under SEC regulations) and the “inadequate & inappropriate responses” provided by some such as Uber and Equifax – both of which adversely affected customers and investors.
However, the main concern, is best expressed by Gary Gensler, the current SEC Chair: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting”.
Paraphrased, the SEC intends to provide investors with more visibility into the cyber risk posture of companies to enable them to make more informed decisions about their investments.
In short, the Rules propose two fundamental changes in the way public companies should manage cyber security and IT risks:
The specific requirements of the Rules, to be complied with by public companies, are as follows:
It may be inferred from reading the Rules and the above requirements, that the SEC may be pushing its regulated companies towards achieving cyber resilience, rather than simply enhancing their cyber security and risk posture. Currently however, some of the requirements are open to different forms of interpretation (such as determining threshold for material cybersecurity incidents, the 4-day time limit for disclosures, whether the board committee on cyber risk and governance is sufficient) and these will either be clarified further in the final rules or through court orders.
Another takeaway from the Rules is that while they don’t extend to private companies, but by virtue of being part of the third-party eco-system of public companies, the Rules may in effect, vicariously extend to these private companies. Today it is impossible to implement a comprehensive cyber security, risk, governance program, without including the extended third-party eco-system.
What is undeniable though, is that the Rules will require significant changes in board and management involvement, additional cybersecurity expertise on boards, revised governance structures and upgrades to processes in place. While the final rules are likely to be released in April 2023, here are a few ways companies can start preparing:
Also, important to note is that the SEC Rules are not the only cyber security and risk related legislation to be passed this year. Here are a few more:
With the increasing number of cyber regulations and the likelihood that the legislation will be applicable to all, not just public companies, organizations are quickly realizing that they must amp up their resources and budgets to effectively manage the influx of regulations and build cyber resilience. This will include expanding budgets to include investing in technologies to gain visibility into the organization’s cyber risk posture, hiring additional staff, and implementing stronger security measures such as automated monitoring of controls to protect against cyber threats.
Need help getting your programs in shape? Please contact MetricStream for help at info@metricstream.com
Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series.
Stay Prepared: Know 2023’s Top Cyber Risks
AWS Security Lake and OCSF: A Cyber Risk Perspective
What are IT and Cyber Controls and How to Achieve Control Harmonization?