Proposed SEC Rules on Cybersecurity Risk: What You Need to Know
With cybersecurity threats in the private and public sectors on the rise, on March 9, 2022, the U.S. Securities and Exchange Commission (SEC) issued proposed rules requiring public companies to disclose their cybersecurity risk management, strategy, governance, and incident details with the intention of enhancing cybersecurity beyond the controlled government systems. The comment period for these proposed rules ended on May 9.
The SEC’s concerns for reliable information systems aren’t without merit. Increased vulnerabilities and threats including remote work, reliance on cloud and third-party services, virtual and digital payments, and sophisticated malware and ransomware, prompted the proposal of these rules to mitigate potential costs and consequences for businesses and investors. Previous standards were not always adhered to, and cybersecurity disclosures were sometimes dismissed with investors and consumers left uninformed.
To provide more transparent, timely, and consistent information, the SEC has broken down the additional disclosures into four categories:
- Material cybersecurity incidents
- Risk management and strategy
- Governance
- Expertise
For anyone unfamiliar with the SEC’s new cybersecurity requirements, our Technology and Cybersecurity practice breaks down what they are and how you can best adhere to them to keep your organization compliant and secure.
Breaking down material cybersecurity incident disclosures
Under this rule, a company will be required to disclose cybersecurity breaches within four days of discovering the incident (note: this is not four days from the date of the breach itself). To determine if the incident involves material information, the company must consider if a shareholder would find the information breached relevant to making an investment decision. Examples of material cybersecurity breaches that would require this reporting include an impact on:
- Operational technology systems
- Stolen information with intent to extort
- Compromise of data or a network
- Ransomware attacks
- Theft of sensitive business information
Within this disclosure, a company is required to report as much as they can about the incident, including:
- When the incident was discovered
- A brief description of what the incident entailed
- Whether data was altered, taken, accessed, or used by the attacker
- How the incident directly affected operations
- If the company has resolved, or is resolving, the issue
A company is not required to disclose certain specific or technical details that could further hinder a resolution or assist attackers in perpetuating a breach, like its response plans, security systems, networks, and other existing vulnerabilities.
Risk management and strategy rules
The proposed amendment would also require a “consistent and informative” disclosure of a company’s cybersecurity risk management and strategy — including not only its own risk management standards but also third-party service providers and their mitigation.
The company would be expected to disclose how its cybersecurity risk management and strategy factor into the overall business strategy and business model related to the collection and handling of sensitive data and the business’s level of dependency on technology. These disclosures will allow investors to possess the information necessary to evaluate a company’s cybersecurity risk and its ability to potentially manage the impact of an attack.
Within this rule, a company would be required to disclose if it:
- Has a cybersecurity risk assessment and management program (with an attached description of said program).
- Uses third parties with that program, and, if so, has policies and procedures to evaluate their associated cyber risks.
- Has a cybersecurity program that considers prior cybersecurity incidents.
- Has had an incident that has affected or could affect the company.
- Has considered the cybersecurity risks in its business strategy, planning, and capital allocation — and how.
Key governance rules
The SEC’s proposal will ensure a company discloses how its board and management handle and take responsibility for cyber risk, including its general cybersecurity governance and the overall scope of the board’s oversight. Does the duty fall to the entire board, a committee, or specific board members? Are there processes for informing the board of potential risks, and how often do they discuss them? Is cyber risk considered a part of overall strategy and risk management?
In addition, it would require a description of the specified management’s role in managing the cybersecurity risks — like expertise, experience, and general role in implementing the cybersecurity measures. Other disclosures in this category include:
- Responsibilities for evaluating and managing cyber risk.
- If the company has a chief information security officer or similar role, and expertise level of the individual.
- How managers responsible for cybersecurity are informed and monitor efforts like discovery, identification, and remediation of breaches.
- How often the managers responsible for cybersecurity report to the board or committee.
Expertise
Under this amendment, companies would be required to disclose their directors’ expertise in cybersecurity, citing each by name along with prior work experience, level of expertise, certifications and degrees, and skillset.
Prepare your organization with a SOC assessment for cybersecurity
To know where your organization stands with its cybersecurity risks and strategy, an assessment is important — especially a System and Organization Controls (SOC) for Cybersecurity, a framework allowing organizations to communicate the effectiveness of their risk management program and information about their cybersecurity.
As we know, the recently issued SEC proposal would require companies to detail their cybersecurity risks and incidents as well as related books and records for up to five years. Participating in a SOC for Cybersecurity would enable your organization to prepare accordingly with no blind spots. This is especially important if your organization utilizes third-party risk management, a growing concern for many firms due to the increased risk associated with them.
With the SOC for Cybersecurity, you can equip your management, directors, investors, business partners, and other stakeholders with the controls they need to ensure you remain compliant with the SEC’s new additions.
Our perspective
While there have been no updates since the proposed rules, it is important to stay vigilant — not only to protect your organization, but also to maintain compliance. To stay up to date, bookmark the SEC’s Cybersecurity news and our Technology and Cybersecurity insight library.
Professional service firms like MGO help verify you are compliant and strengthen your overall cybersecurity — so these incidents are less likely to occur, and if they do, you will be ready to mitigate risks at once. Let us know if you are ready to assess your cybersecurity or get started on a SOC for Cybersecurity.
For insights tailored to your company and industry, schedule a conversation with our Technology and Cybersecurity team today.