Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

(Originally appeared November 21, 2022 in my Enabling Board Cyber Risk Oversight? blog at?Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks)

Blog #4 of 5 in SEC Cyber Series

Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks[1]

Introduction

In the first post in this series Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I cited the four specific proposed changes in the SEC rulemaking:

1. Reporting of Cybersecurity Incidents on Form 8-K
2. Disclosure about Cybersecurity Incidents in Periodic Reports
3. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

This post will focus on the requirements of “Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks.”

What is proposed?

In a previous post in this series, I cited SEC Chairman Gary Gensler, who stated, “For the last 90 years, our capital markets have relied on a basic bargain. Investors get to decide which risks to take as long as companies provide full, fair, and truthful disclosures. Congress tasked the SEC with overseeing this bargain. We do so through a disclosure-based regime, not a merit-based one.”[2]

The current system, which requires the disclosure of certain types of business and financial data regularly to the SEC and the company's stockholders, is known as the integrated disclosure system.[3]?Regulation S-K is an SEC regulation that spells out how registrants should disclose material qualitative or textual descriptions of their business on registration statements, periodic reports, and any other filings such as the 8-K, 10-Q, and 10-K.[4]

The SEC is proposing a new item be added to Regulation S-K at Item 106(b) to require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy. For example, the proposed disclosure would require companies to disclose whether they have a cybersecurity risk assessment program, whether they undertake activities designed to prevent, detect, and minimize the effects of cybersecurity incidents, and how they manage third-party risks.[5]?In Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know about Enterprise Cyber Risk Management[6], I wrote extensively about the importance of comprehensive, enterprisewide risk assessments as a foundational step in establishing, implementing, and maturing a cybersecurity program.

Under risk management and strategy, specific proposed disclosure items in Item 106(b) would require disclosure, as applicable, of whether:

• The registrant has a cybersecurity risk assessment program and if so, describe such a program;
• The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
• The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
• The registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
• The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
• Previous cybersecurity incidents have informed changes in the registrant’s governance, policies, procedures, or technologies;
• Cybersecurity-related risks and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition, and if so, how; and
• Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.[7]

Under governance or precisely the board’s oversight, the disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.[8]

To say the least, these are extensive and comprehensive disclosure changes. The activities represent sound cyber risk management and are in complete alignment with numerous industry guidelines and resources, including notably for boards of directors, NACD’s most recent Principles for Board Governance of Cyber Risk.[9]

In chapter 7 of Stop the Cyber Bleeding[10], I cite six initial actions organizations can take to establish or improve their enterprise cyber risk management (ECRM) program.?These actions, which are all related to this proposed disclosure requirement regarding risk management, strategy, and governance, are:

1. Conduct Ongoing Enterprisewide NIST-quality Risk Assessments
2. Establish Board and Executive Team Governance
3. Adopt the NIST Cybersecurity Framework
4. Implement the NIST “Managing Information Security Risk” Process
5. Engage Your Executive Risk Insurance Brokers
6. Measure the Maturity of Your ECRM Program[11]

Of course, the above six items only represent a partial list of all cybersecurity practices.?They are simply examples of the items that, had they been completed, would be relevant to disclose.?They would all meet the SEC’s goal of providing greater transparency regarding the registrant’s strategies and actions to manage cybersecurity risks.[12]

Risk oversight is one of the top three responsibilities of a board of directors, along with strategy and leadership.?Disclosing information about risk and risk management oversight is not new to public company boards.?Public company boards have had to disclose their role in overall risk oversight since February 28, 2010, according to an SEC final rule, Proxy Disclosure Requirements.[13] As another specific example of risk-related disclosure, audit committees of New York Stock Exchange-listed companies must disclose policies concerning risk assessment and risk management.[14]

As a result, it is fair to think about the SEC's proposed changes related to Risk Management, Strategy and Governance Regarding Cybersecurity Risks as simply an extension of existing requirements, in this case, to address one of the most severe risks facing our economy and public equity markets.

Questions Management and Board Should Ask and Discuss

Here are several starter questions around the proposed Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks:

1. Is your enterprise cyber risk management (ECRM) strategy formalized and documented? Are you comfortable disclosing your ECRM strategy to investors?
2. Would your organization’s current risk assessment/risk management work products meet national or international standards, such as those promulgated by NIST or ISO?
3. Does your organization have a formal ECRM governance structure in place? Does it clearly define who makes what decisions, how and when those decisions are made, and what data and facts are used to inform them? Are you comfortable disclosing your ECRM governance structure to investors?
4. What ECRM framework, if any, has your organization adopted? How is it being used? Are you comfortable disclosing your ECRM framework to investors?
5. What ECRM process, if any, has your organization adopted? Is it an industry-standard approach, such as that advanced by NIST or ISO??Are you comfortable disclosing your ECRM process to investors?
6. What ECRM maturity model, if any, has your organization adopted??Is it an industry-standard approach, such as that advanced by NIST or ISO??Are you comfortable disclosing your ECRM maturity model to investors?
7. Are the roles and responsibilities of management and the board spelled out and practiced?
8. Is risk management integrated into business strategy, leadership, and financial oversight?

Endnotes

[1] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure." March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[2] Gensler, Gary. “Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs.” September 15, 2022. Available at https://www.sec.gov/news/testimony/gensler-testimony-housing-urban-affairs-091522

[3] Inc Magazine. "SEC Disclosure Laws and Regulations." January 5, 2021. Available at https://www.inc.com/encyclopedia/sec-disclosure-laws-and-regulations.html

[4] Regulation S-K, definition. Wex legal dictionary and encyclopedia. Legal Information Institute (LII). Cornell Law School. Accessed November 7. 2022. https://www.law.cornell.edu/wex/regulation_s-k

[5] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[6] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM)”. 2021. Clearwater. Available at https://amzn.to/33qr17n

[7] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[8] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure." March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[9] NACD. "Principles for Board Governance of Cyber Risk". March 2021.?Available at https://www.nacdonline.org/applications/secure/?FileID=319863

[10] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM)”. 2021. Clearwater. Available at https://amzn.to/33qr17n

[11] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[12] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[13] SEC. "Proxy Disclosure Enhancements." February 28, 2010. Available at https://www.sec.gov/rules/final/2009/33-9089.pdf

[14] Section 303A, NYSE Listed Company Manual. Accessed November 7, 2022. Available at https://nyseguide.srorules.com/listed-company-manual