What to really know about new SEC cybersecurity rules
Brian Haugli
CEO @ SideChannel | Protecting SMBs & Enterprises with Enclave & RealCISO | Wiley Published Author on NIST CSF
It's not just incident reporting & a cyber expert on the Board
By now you've seen the countless articles bringing front and center the SEC's proposed new cybersecurity rules. I do believe there are aspects that are being focused on and others that are not that better characterize what's really going to be required of publicly traded companies after these take effect. Many articles on this development aren't digging in past the summary on the 1st page of the rules proposal (https://www.sec.gov/rules/proposed/2022/33-11038.pdf ).
Let's break them all down.
Require current reporting about material cybersecurity incidents?
First up "...requiring registrants to disclose material cybersecurity incidents in a current report on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident". Also added would be:
Prerequisite: A company would need a near or full 24/7 detection and response capability, along with a level of forensics, to be able to properly discover, react, and then report this within a 4 day time frame. You'd also need legal counsel to help make the right decisions on if this is even an incident. An incident response plan (IRP) with clearly identified roles would enable this. Ideally, an IRP that's been through a table top exercise (TTX).
This is a significant requirement being outlined here and one that has a number of capabilities to be able to meet. It's not as simple as "being able to report in 4 days".
Policies and procedures to identify and manage cybersecurity risks
SEC is looking to "...require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy." Expanded it would expect:
Prerequisite: Without citing a specific standard or framework, this would mirror the expectations of a program built on NIST CSF or other modern control based frameworks. A company would need a fully built and maturing cybersecurity program. One that starts with (and expects regular) risk assessment of the current state, establishing a target state, and crafting a roadmap to get from one to the next.
领英推荐
It's basic and direct.
Conduct a risk assessment, use 3rd parties to validate results, and establish a set of policies and process in a program to be governed. Points 4 & 5 are clear adoption of NIST CSF categories of "Protect, Detect, Respond, & Recover". The disclosures expected will require a level of detail on a company's overall cybersecurity program, it's governance, reporting, and maturation plans over time. Without an established program, it would be impossible to meet this requirement. It's more than just proving written policies are documented.
The SEC is looking for a program.
Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
The proposed rule expects the "...disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies."
It's more than just the Board. In fact, the role of the CISO is established, filled, and who they report to, all must have cybersecurity expertise that's disclosed in filings. This means if the CISO reports to the CIO/CFO/GC, the expertise of that individual is disclosed.
Prerequisite: Each company will need a CISO, a person the CISO reports to, and a Board with directors that individually or as an informed committee have cybersecurity expertise. A governance cadence will need to be established on how often and to cover topics specifically on "the prevention, mitigation, detection, and remediation of cybersecurity incidents".
I don't believe we'll see an influx of CISOs being handed Board seats. While there are a subset of CISOs in the community that will, many do not have the executive presence or depth in other areas that make a good independent director for a Board.
Conclusion
As this proposal moves forward and a date is established for compliance, it will be a serious lift for many. There are roughly 9000 publicly traded companies in the US under SEC guidance. With only 2/3 of the Fortune 500 even having a CISO, it's clear that there is a significant amount of work and talent needed to meet these new regulations.
Need to navigate these new SEC rules? Contact us at SideChannel.com
Brian - thanks for sharing this. This is a concise summary and will be useful for the group! Dmitriy
I help business leaders manage cybersecurity risk to enable sales. ?? Virtual CISO to SaaS companies, building cyber programs. ?? vCISO ?? Fractional CISO ?? SOC 2 ?? TX-RAMP ?? LinkedIn? Top Voice
1 年Good analysis.
Accepting vCISO Clients for 2025 | Helping SMBs Grow by Enabling Business-Driven Cybersecurity | Fractional vCISO & Cyber Advisory Services | Empowering Secure Growth Through Risk Management
1 年Great information Brian Haugli thank you for sharing
Information Security, Risk and Compliance
1 年Hello Brian. This was a wonderful read and great summarization you posted. I am very concerned with the lack of qualified cyber experts compared to the CISO requirement. Although some infosec experience is better than none for public companies, I fear companies will start promoting less-experienced infosec employees to CISO positions just to check the block.
AppOmni
1 年Great read Brian Haugli. I ended up skimming the SEC doc. There is a lot of latitude given on what constitutes a "material" incident. "A materiality analysis is not a mechanical exercise, nor should it be based solely on a quantitative analysis of a cybersecurity incident. Rather, registrants would need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material. Even if the probability of an adverse consequence is relatively low, if the magnitude of the loss or liability is high, the incident may still be material; materiality “depends on the significance the reasonable investor would place on” the information. Thus, under the proposed rules, when a cybersecurity incident occurs, registrants would need to carefully assess whether the incident is material in light of the specific circumstances presented by applying a well-reasoned, objective approach from a reasonable investor’s perspective based on the total mix of information." Do you think this will lead to under reporting?