July 26, 2023, The Securities and Exchange Commission (SEC) has stepped forward to bring about a pivotal change in the form of newly adopted rules around cybersecurity. The new rules focus squarely on the growing importance and the critical nature of cybersecurity. They will become effective 30 days following publication.
One sentence summary: Ensure you have a written cyber security strategy from the boardroom to the data center, and ensure you have board members with appropriate cybersecurity knowledge and experience who are focused on cybersecurity governance and compliance.
The 'registrants,' a vast array of businesses and organizations that fall under the purview of the SEC, as well as many more that follow the SEC rules as guidelines, are now required, as per the new rules, to disclose any material cybersecurity incidents they encounter publicly. The interpretation of 'material' incidents requires consideration of factors such as financial losses, operational and reputational impacts, regulatory penalties, and more. This move isn't just about transparency; it's about accountability and creating an environment where cybersecurity is prioritized.
To detect such material events, companies must have robust cybersecurity programs in place. Adherence to frameworks like the NIST Cybersecurity Framework (CSF) can provide such a standardized approach. Independent audits and penetration testing also assure investors that cyber risks are being seriously addressed.
Registrants are now obligated to disclose material information about their cybersecurity risk management, strategies, and governance on an annual basis. These annual reports give stakeholders a holistic view of a company's cybersecurity posture, resilience, and readiness to combat digital threats. The role of board oversight and executive management in cybersecurity is now under scrutiny, making the collaboration between Chief Information Security Officers (CISOs) and cyber-informed boards essential.
The SEC has extended these rules to foreign private issuers as well, acknowledging that in this interconnected world, cybersecurity transcends borders. Companies are urged to manage third-party cyber risk as well, given the increasing targeting of supply chains.
To truly understand the impact of these rules, let's review a summary of the new rules.
Based on the SEC's final rules:
Disclosure of Cybersecurity Risk Management Strategy: Registrants are required to disclose whether they have adopted a cybersecurity risk management strategy. If such a strategy has been adopted, they are required to describe the key features of the strategy. This should be disclosed in the registrant's annual reports.
Disclosure of Cybersecurity Governance: The rules require disclosure about the registrant's governance of cybersecurity risks and incidents. This includes the role of the board of directors or similar governing body in overseeing the registrant's cybersecurity risk management strategy and incident response efforts.
Disclosure of Material Cybersecurity Incidents: Registrants are required to disclose any material cybersecurity incidents they experience promptly. This includes the nature and scope of the incident, its impact on the registrant's operations, and the registrant's response to the incident. This should be disclosed on Form 8-K within four business days of determining the materiality of the incident. Some flexibility is provided for security or other concerns.
Quantitative Metrics and Industry-Specific Information: The SEC document does not explicitly require the disclosure of quantitative metrics or industry-specific information. However, the SEC encourages registrants to provide as much specific and detailed information as possible to allow investors to understand their specific cybersecurity risks and incidents.
This resolution by the SEC is an effort to fortify the cybersecurity framework of registrants. It serves as a clarion call for companies to actively confront cyber threats that influence both their consumer base and their financial statements, the latter being the central concern of the SEC.
In this age where data has become the new gold, these mandates mirror the SEC's commitment to protect this valuable asset, endorsing transparency, accountability, and cultivating a safer digital environment. The SEC has finally tackled cybersecurity governance, setting forth guidelines and a benchmark to adhere to. These rules should be perceived as the baseline standards, standards that many organizations should already be meeting. The novel disclosure requirements will promote better information dissemination and provide a foundation for investors to assess the cybersecurity performance of the companies in their portfolios.
Should you need assistance in reviewing your cyber security posture from the Board level to the front lines, Brightside stands ready to assist in information, policy, implementation, and audit services.
~ Mark Munger, CTO, Brightside Industries Group, LLC
Comments