How has the SEC strengthened Cybersecurity Reporting Requirements and why does it matter?
The SEC enacted new cybersecurity disclosure rules for publicly traded companies, which takes effect on December 15, 2023. These rules mandate that companies provide comprehensive details on how they assess, identify, and manage material cybersecurity risks within their annual reports (Form 10-K). They require organizations to outline the board’s role in overseeing cybersecurity risks. Finally, the SEC requires companies to to report significant cybersecurity incidents within four days (Form 8-K).
This regulation has a significant impact on both companies and Chief Information Security Officers (CISOs). CISOs are thrust into a spotlight, charged with ensuring clear and prompt communication regarding their company’s cybersecurity measures and incidents. This heightened visibility requires CISOs to foster strong communication channels with top-level executives and board members. CISOs must also align cybersecurity strategies to both business goals and regulatory requirements.
For company CEOs and Board members alike, the regulation solidifies their focus on cybersecurity resiliency within corporate governance. They are tasked with active participation in and oversight of cybersecurity strategies. The Board is now charged with ensuring not just compliance but also the effectiveness of their company’s cybersecurity program. This shift underscores the evolving role of corporate governance in managing cyber risks. It highlights the growing investor interest in how companies are prepared to handle and mitigate cyber threats.
What do Investors Want and Need to Know?
Investors are increasingly concerned about the implications of cybersecurity on their investments. This has been propelled by the rising number of high-profile cyber incidents like ransomware attacks and data breaches. Investors prioritize cybersecurity alongside critical environmental, social, and governance (ESG) issues. This is reflected in RBC’s Global Asset Management Responsible Investment Survey. Investors seek clear, reliable, and actionable cybersecurity data to inform their investment decisions. They need and want clear indicators of cybersecurity resiliency without having to possess deep technical knowledge of the field. Good cybersecurity is not only seen as a risk mitigation factor but also as an indicator of robust corporate governance and management quality. These qualities make company’s more attractive for investment. Tools that incorporate cybersecurity metrics are used to evaluate a company’s cybersecurity preparedness. Consequently, the best Chief Information Security Officers (CISOs) are aware of these investor evaluations. Successful CISOs ensure their organizations’ cybersecurity measures are effectively communicated. Effective CISOs highlight global trends such as greater transparency and accountability in cybersecurity reporting. This helps calm investors concerns and the investment community.
How to Prepare my Company for these New Requirements
The SEC’s new cybersecurity regulation necessitates senior leadership involvement. Company leadership must be involved to strategize on their cybersecurity disclosures. CISOs are bringing leadership together to meet and review cyber resiliency or cyber preparedness at their firms. These meetings, create critical understanding on how these regulations impact your company and its stakeholders. These meetings most often include the CISO, General Counsel, a Chief Risk Officer (if present), the CFO, and the head of Investor Relations. Key discussion points revolve around who leads disclosure efforts and the CISO’s role in risk and incident reporting. Discussions must lay out and ratify collaboration strategies, investor communications, and how to define a “material” cyber incident relative to the company’s operations that now requires reporting on the 8-K.
These discussions must establish a clear responsibility matrix within your company relating to cybersecurity disclosures. CISOs must also ensure their approach to cybersecurity is communicated effectively to investors, meeting their expectations for transparency and understanding. Your leadership team must also consider the company’s existing communication strategies around cyber risk. They must determine whether new methods, such as a standalone cybersecurity report (annual 3rd party audit), are warranted to convey their governance of such risks clearly. This is not just about compliance; it’s about crafting an informed, coherent external and internal narrative on cybersecurity governance. The CISO plays a vital but not solitary role in this process. The outcome of these meetings will shape the company’s cybersecurity posture and investor relations moving forward.
What information should be Disclosed and how should it be collected?
Under the SEC’s new requirements, organizations must disclose a range of information that helps investors understand their cybersecurity risk management processes. This information includes the organization’s cybersecurity strategy and third-party risk management. A framework commonly used for such risk assessments is the NIST Cybersecurity Framework (NSF). Alternately, some companies use the NIST 800-171 Risk Management Standard for their compliance strategy. Then the management team, including the CIO, CISO, CEO, CFO, and board must create a reporting program that outlines attainment and risk mitigation for the company against the controls outlined in these assessment methods.
Additionally, companies are expected to share details about key policies, technical controls, independent security evaluations like SOC 2 certifications. Program metrics are reported detailing program effectiveness and incident management protocols. Cyber insurance coverage is validated helping with reduce financial risk from cyber incidents, while helping determine the materiality of cybersecurity events and issues.
CISOs are tasked with gathering this data through document reviews and consultations with their cybersecurity teams and senior executives. Since many organizations might not have ready access to all this information, it may be beneficial to form a cross-functional team to aid in the information collection process. You could adopt CyberHoot and capture metrics for each employee signing off on their governance policies, completing awareness training video assignments, and completing phishing simulations and tests. The ultimate goal is to report back to the Board, C-Level executives, and “reasonable investors” a narrative that is both accessible and understandable by all.
What have companies disclosed about their cybersecurity programs?
While companies building their programs may wonder what others are doing, it is important to build your own compliance and reporting program based upon your own size, capacities, and investor expectations. There are sources of centralized information collected that you might review for your own program’s development. For example, in 2022, an analysis by the EY Center for Board Matters on Fortune 100 company disclosures revealed the following increased transparency in cybersecurity risk management.
- 9% of companies mentioning preparedness through simulations and exercises.
- 18% in companies aligning with external cybersecurity frameworks (NIST CSF)
- 28% using external advisors (vCISO for example), reflecting growing engagement with third-party expertise.
- 39% disclosed how often they report cybersecurity matters
- 45% highlighted educational efforts to mitigate risks
- 51%, maintained cybersecurity insurance
- 61% noted cybersecurity expertise on their board.
- Response readiness was referenced by 66% of companies
- 68% discussed the frequency of management reporting to the board.
- An overwhelming 88% indicated at least one board committee was responsible for cybersecurity oversight
- 95% focused on cybersecurity in their risk oversight.
- Nearly all, 99%, mentioned efforts to mitigate cybersecurity risks through established processes and systems.
Despite past disclosures, the SEC’s new cybersecurity regulations require detailed and potentially transformative reporting practices be adopted starting with publicly traded companies. Despite the rules primarily target publicly listed companies, other private and smaller companies should familiarize themselves with these new rules, and begin preparing and monitoring their operations for their own cybersecurity resiliency and preparedness.
Incident Disclosure and the Question of Materiality
Companies must grapple with the challenge of determining what constitutes a “material” cybersecurity incident for disclosure purposes, as required by the SEC. A material incident is defined by the SEC as “one that would be considered important by a reasonable investor making an investment decision“. This determination goes beyond financial thresholds and considers both quantitative and qualitative data. It includes incidents resulting in reputational damage or the theft of information that, while not financially quantifiable, have a significant impact on individuals or the company.
The SEC suggests that while financial impact is commonly considered, the scope and nature of harm should also be evaluated. For a thorough understanding of potential impacts, companies are encouraged to perform financial quantification of cyber risks. This analysis can reveal program weaknesses, investment needs, and risk mitigation strategies.
CISOs, while not typically the final arbiters of materiality, should be deeply involved in the assessment process and in devising proactive risk remediation strategies. The materiality of incidents should be determined case-by-case through legal counsel, the CEO, and the Board of Directors. The decision of materiality needs to take into consideration the specific circumstances and potential implications for the company and its stakeholders.
Another Curveball: Third Party Risk Disclosure
The SEC mandates specific disclosure requirements for third-party cyber risks, acknowledging their significant potential to introduce cybersecurity incidents. With more companies outsourcing to vendors for efficiency and competitive gains, the risks from third-party and supply chain vulnerabilities have escalated. CISOs are advised to establish a robust third-party cyber risk strategy that includes identifying and prioritizing third-party partners (often based upon criticality of data they contain or can access), performing risk-based cyber assessments, and continuous monitoring of these entities for new threats. A thorough program is essential for CISOs to assure stakeholders of effective risk management and compliance with SEC disclosure requirements.
Conclusions
These developments highlight the strategic importance of cybersecurity in corporate governance and the need for leadership to be well-informed and proactive in cybersecurity oversight. It also indicates a trend towards greater transparency in how companies manage and report on cybersecurity, with an emphasis on creating a robust culture of security that aligns with investor interests and regulatory expectations.