Enabling Board Cyber Risk Oversight

Blog #1 of 5 in SEC Cyber Series

(Originally appeared October 31, 2022 at Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes )

Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes[1]

Introduction

In Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know about Enterprise Cyber Risk Management[2] and in the article The Legal Liabilities of Enterprise Cyber Risk Management[3] that I co-authored with Iliana Peters, JD, CISSP, former acting deputy director at the Department of Health and Human Services Office for Civil Rights, I cited two key trends related to enterprise cyber risk management (ECRM) in healthcare:

1.????The emergence of a de facto “standard of care” related to cyber risk management; and,

2.????The increasing possibility that legislatures, regulators, and the courts will hold executives and directors responsible for Enterprise Cyber Risk Management (ECRM) failures.

This blog post and others in this series address increased regulations and specific changes proposed by the Securities and Exchange Commission (SEC) that would significantly increase reporting and disclosure requirements around cybersecurity and ECRM for publicly traded companies.

Bear in mind that while the SEC regulations apply to publicly traded companies, these proposed changes should be considered by all organizations, especially healthcare HIPAA covered entities and their business associates (“regulated entities”). Many frontline healthcare delivery organizations are not-for-profit, non-public entities.?At the same time, they are part of public companies' supply chain and part of the national critical infrastructure.?Other organizations in the healthcare ecosystem are private companies with exit strategies that may include going public or being acquired by a strategic public company.?Additionally, many not-for-profit healthcare organization boards include directors who are also executives or directors at publicly traded companies who will guide these not-for-profit organizations to adopt SEC disclosure changes as best practices.

Why are these changes being proposed?

Cybersecurity risks and incidents can impact the financial performance or position of a company. Consistent, comparable, and decision-useful disclosures regarding an organization’s cybersecurity risk management, strategy, and governance practices, as well as a company’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a company’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.

In recent testimony before the United States Senate Committee on Banking, Housing, and Urban Affairs, as it relates to public company disclosures, SEC Chairman Gary Gensler, stated “For the last 90 years, our capital markets have relied on a basic bargain. Investors get to decide which risks to take as long as companies provide full, fair, and truthful disclosures. Congress tasked the SEC with overseeing this bargain. We do so through a disclosure-based regime, not a merit-based one.”[4]

The proposed cybersecurity disclosure rule changes are all about what the SEC believes are full, fair, and truthful disclosures.?“The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”[5]

When could these proposed changes be implemented?

The Notice of Proposed Rule Making was published on March 9, 2022, and comments were initially to have been returned to the SEC by May 9, 2022. The comment period was extended, with a total of 156 comments submitted as of this writing.[6] Although there is always the possibility of delays in rulemaking, the SEC’s timetable for these changes shows final action by April 2023.[7]

Who is Covered?

Publicly traded companies or SEC registrants and so-called foreign private issuers (“FPIs”) would be required to comply with the proposed changes. In the series, I will focus on US-based publicly traded companies that are required to comply with the Securities Act of 1933 (“Securities Act”), the Securities Exchange Act of 1934 (“Exchange Act”), and regulations promulgated under these and other federal security laws. These organizations typically file Forms 8-K, 10-Q, 10-K, and others as part of their regular filings with the SEC.

What Could be Required?

There are four specific proposals that I will cover separately in this blog series which aligns with the key SEC proposals.?The proposed changes address:

1. Reporting of Cybersecurity Incidents on Form 8-K
2. Disclosure about Cybersecurity Incidents in Periodic Reports
3. Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks?
4. Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The proposal calls for specific changes to disclosures made to existing regulations (e.g., PART 229—STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975—REGULATION S-K) by adding or amending existing language. As a simple example, definitions are added for terms like cybersecurity incident, cybersecurity threat, and information systems.?As another example, specific reporting requirements are spelled out: “(2) Describe management’s role in assessing and managing cybersecurity-related risks, as well as its role in implementing the registrant’s [company’s] cybersecurity policies, procedures, and strategies.”[8]

I will get into more specifics on the requirements of each of the four areas cited above in upcoming posts in this series.

Who Enforces?

The Division of Enforcement within the SEC administers the Securities and Exchange Commission's Enforcement Program. The Division of Enforcement is responsible for detecting and investigating a wide range of potential violations of federal securities laws and regulations.[9] ?In November 2021, the SEC announced that it filed 434 new enforcement actions in the fiscal year 2021, representing a 7 percent increase over the prior year. The SEC stated that its whistleblower program was critical to its enforcement efforts and had a record-breaking year stating it surpassed $1 Billion in awards.

Speaking of the whistleblower program, coincidentally, in August, Peiter Zatko, Twitter's former head of security, filed whistleblower complaints with the SEC, the Federal Trade Commission, and the Justice Department alleging “extreme, egregious deficiencies by Twitter in every area of his mandate,” including privacy, digital and physical security, platform integrity and content moderation.”[10] ?If investigations show that his allegations were true, they represent serious privacy and security concerns for millions of Twitter users.?

What Happens If Your Company Doesn’t Comply?

First, remember that these proposed changes are not likely to be finalized until April 2023, and there’s no guarantee of making that date.?However, thinking ahead, an organization making false, incomplete, or misleading statements about security incidents, risk management, strategy, and governance in its public statements or its required SEC disclosures could result in an SEC violation and, additionally, potential violations of other federal (e.g., HIPAA), state, or even international privacy and security regulations.?These potential violations would be bad for investors and bad for the company.

Questions Management and Board Should Ask and Discuss

While I will get into the detailed requirements in upcoming posts in this series, it is not too early for the C-suite and the board to prepare for these prospective changes. Arguably, there are legal, regulatory, and strategic risks in managing these proposed changes. Here are several starter questions:

1.????What team of executives should be assembled to examine these requirements, monitor the rule change process, and report to the board?

2.????What standing board or ad hoc committee will oversee the work of this executive team? ?Or will it be the whole board?

3.????What clarifications need to be made regarding the role of management vis-à-vis the role of the board regarding these potential changes?

4.????What is your ability today to meet these prospective requirements??(More detail on this question will follow in future posts.)

5.????What is your risk appetite for managing these pending requirements?

6.????To whom can you turn for advice and counsel on these proposed changes?

7.????What are your current risk management policies, procedures, and practices??On first blush, how do they stand up to the proposed disclosure requirements?

8.????Do you have appropriate enterprise risk management and cybersecurity expertise on your board?

Endnotes

[1] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[2] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM)”. 2021. Clearwater. Available at https://amzn.to/33qr17n

[3] Chaput, Bob, Peters, Iliana. “The Legal Liabilities of Enterprise Cyber Risk Management.” AHLA Health Law Connection (americanhealthlaw.org). November 2021. Available at https://www.americanhealthlaw.org/content-library/connections-magazine/article/86d4c53e-37e2-4b44-92a9-7b152eb1775e/The-Legal-Liabilities-of-Enterprise-Risk-Managemen

[4] Gensler, Gary. “Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs”. September 15, 2022. Available at https://www.sec.gov/news/testimony/gensler-testimony-housing-urban-affairs-091522

[5] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[6] SEC. "Comments on the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". Accessed October 21, 2022. Available at https://www.sec.gov/comments/s7-09-22/s70922.htm

[7] Agency Rule List - Spring 2022. SEC. "Cyber Risk Governance." Accessed October 4, 2022. Available at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3235-AM89

[8] SEC. "Proposed Rule Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure". March 9, 2022. Available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf

[9] INTERNATIONAL INSTITUTE FOR SECURITIES MARKET DEVELOPMENT. SEC. "Overview of Enforcement". 2005. Available at https://www.sec.gov/about/offices/oia/oia_enforce/overviewenfor.pdf

[10] Needleman, Sarah E. WSJ. "Twitter’s Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues". Updated August 23, 2022. Available at https://www.wsj.com/articles/twitters-ex-security-head-files-whistleblower-complaint-11661263009