What to really know about new SEC cybersecurity rules

What to really know about new SEC cybersecurity rules

It's not just incident reporting & a cyber expert on the Board

By now you've seen the countless articles bringing front and center the SEC's proposed new cybersecurity rules. I do believe there are aspects that are being focused on and others that are not that better characterize what's really going to be required of publicly traded companies after these take effect. Many articles on this development aren't digging in past the summary on the 1st page of the rules proposal (https://www.sec.gov/rules/proposed/2022/33-11038.pdf ).

Let's break them all down.

Require current reporting about material cybersecurity incidents?

First up "...requiring registrants to disclose material cybersecurity incidents in a current report on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident". Also added would be:

  1. When the incident was discovered and whether it is ongoing;
  2. A brief description of the nature and scope of the incident;
  3. Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  4. The effect of the incident on the registrant’s operations; and
  5. Whether the registrant has remediated or is currently remediating the incident.

Prerequisite: A company would need a near or full 24/7 detection and response capability, along with a level of forensics, to be able to properly discover, react, and then report this within a 4 day time frame. You'd also need legal counsel to help make the right decisions on if this is even an incident. An incident response plan (IRP) with clearly identified roles would enable this. Ideally, an IRP that's been through a table top exercise (TTX).

This is a significant requirement being outlined here and one that has a number of capabilities to be able to meet. It's not as simple as "being able to report in 4 days".

Policies and procedures to identify and manage cybersecurity risks

SEC is looking to "...require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy." Expanded it would expect:

  1. The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
  2. The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  3. The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee?data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  4. The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
  5. The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  6. Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
  7. Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
  8. Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.?

Prerequisite: Without citing a specific standard or framework, this would mirror the expectations of a program built on NIST CSF or other modern control based frameworks. A company would need a fully built and maturing cybersecurity program. One that starts with (and expects regular) risk assessment of the current state, establishing a target state, and crafting a roadmap to get from one to the next.

It's basic and direct.

Conduct a risk assessment, use 3rd parties to validate results, and establish a set of policies and process in a program to be governed. Points 4 & 5 are clear adoption of NIST CSF categories of "Protect, Detect, Respond, & Recover". The disclosures expected will require a level of detail on a company's overall cybersecurity program, it's governance, reporting, and maturation plans over time. Without an established program, it would be impossible to meet this requirement. It's more than just proving written policies are documented.

The SEC is looking for a program.

Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk

The proposed rule expects the "...disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies."

It's more than just the Board. In fact, the role of the CISO is established, filled, and who they report to, all must have cybersecurity expertise that's disclosed in filings. This means if the CISO reports to the CIO/CFO/GC, the expertise of that individual is disclosed.

  1. Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
  2. The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
  3. Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.??

Prerequisite: Each company will need a CISO, a person the CISO reports to, and a Board with directors that individually or as an informed committee have cybersecurity expertise. A governance cadence will need to be established on how often and to cover topics specifically on "the prevention, mitigation, detection, and remediation of cybersecurity incidents".

I don't believe we'll see an influx of CISOs being handed Board seats. While there are a subset of CISOs in the community that will, many do not have the executive presence or depth in other areas that make a good independent director for a Board.

Conclusion

As this proposal moves forward and a date is established for compliance, it will be a serious lift for many. There are roughly 9000 publicly traded companies in the US under SEC guidance. With only 2/3 of the Fortune 500 even having a CISO, it's clear that there is a significant amount of work and talent needed to meet these new regulations.

Need to navigate these new SEC rules? Contact us at SideChannel.com

Brian - thanks for sharing this. This is a concise summary and will be useful for the group! Dmitriy

Rob Black

I help business leaders manage cybersecurity risk to enable sales. ?? Virtual CISO to SaaS companies, building cyber programs. ?? vCISO ?? Fractional CISO ?? SOC 2 ?? TX-RAMP ?? LinkedIn? Top Voice

1 年

Good analysis.

?? Christophe Foulon ?? CISSP, GSLC, MSIT

Accepting vCISO Clients for 2025 | Helping SMBs Grow by Enabling Business-Driven Cybersecurity | Fractional vCISO & Cyber Advisory Services | Empowering Secure Growth Through Risk Management

1 年

Great information Brian Haugli thank you for sharing

Dr. William Dicker

Information Security, Risk and Compliance

1 年

Hello Brian. This was a wonderful read and great summarization you posted. I am very concerned with the lack of qualified cyber experts compared to the CISO requirement. Although some infosec experience is better than none for public companies, I fear companies will start promoting less-experienced infosec employees to CISO positions just to check the block.

Great read Brian Haugli. I ended up skimming the SEC doc. There is a lot of latitude given on what constitutes a "material" incident. "A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident. Rather, registrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material; materiality “depends on the significance the reasonable investor would place on” the information. Thus, under the proposed rules, when a cybersecurity incident occurs, registrants would need to carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information." Do you think this will lead to under reporting?

要查看或添加评论,请登录

社区洞察

其他会员也浏览了