SEC Cybersecurity Changes, Part 3, Risk Management

Have you thought about AND documented how your firm handles cybersecurity risk?

This is the third article in this series describing and exploring the monumental shift the Securities and Exchange Commission (SEC) has proposed in its amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by registrants.? The SEC wants investors to have a crystal clear idea of how your firm manages cybersecurity risk.

Thinking around cybersecurity needs to shift and the SEC clearly agrees. Cybersecurity should be thought of as a core business capability used to effectively manage corporate risk starting at the strategic level.? Those who think of it as a technology problem with holes to be plugged will fail to see the big picture.

Cybersecurity Risk Management and Strategy

The proposed disclosure requirements are intended to ensure that investors have a very clear view of how a firm manages this core business capability.? Proposed Item 106(b) of Regulation S-K requires registrants to provide more consistent and informative disclosure of their cybersecurity risk management and strategy.??

These disclosures include:

• Whether the registrant has a cybersecurity risk assessment program and undertakes activities designed to prevent, detect, and minimize the effects of cybersecurity incidents.
• Policies and procedures around? a registrant's selection and oversight of third-party entities
• Whether cybersecurity risks may have an impact on a registrant's business strategy, financial outlook, or financial planning.
• Whether cybersecurity-related risks and previous incidents have affected or are reasonably likely to affect the registrant's results of operations, financial condition, governance, policies, procedures, or technologies.
• Policies and procedures, if it has any, to identify and manage cybersecurity risks and threats.

Cybersecurity Risk Policies and Procedures

There will be virtually no firm willing to say they have no policies and procedures to identify and manage cybersecurity risk on a required SEC Item.? Per the proposed disclosures, these policies and procedures should include, but should not be limited to:?

1. Risk Management Strategy and Methods including when and at what level these risks are identified and communicated (board, board committee, executive, etc.)
2. Threat Management including identification and mitigation methods
3. Vendor Management including cybersecurity selection criteria and oversight mechanisms
4. Incident Management including activities to prevent, detect, and minimize the effects of cybersecurity incidents
5. Continuity of Operations including business continuity, contingency, and recovery plans

Those who do not have anything like this in place should take this opportunity to get it in place NOW.? If this sneaks up on your firm, you could find yourself explaining to the Board why you have nothing to report to the SEC.? If you do have something, NOW is the time to make sure all of these points are covered well.

Key Takeaway

Many firms will find that they do not have a way to specifically handle cybersecurity risk from general corporate risk. ? Previous disclosures have only referenced cybersecurity as one of the risks overseen by the board or a board committee, but new reporting requirements will make it very transparent how much your company cares about cybersecurity risk. If it is not important enough to have its own strategy, management, policies, and procedures, cybersecurity risk will not get the proper attention necessary to truly work through the innumerable ways your company could lose value due to a breach and investors will know.