SEC Rule Will ‘Change Playbook’ on Cyber Incident Management
A new set of requirements approved Wednesday by the U.S. Securities and Exchange Commission (SEC) will have a widespread impact on how publicly traded companies disclose security incidents and data risk management practices.
Under the new rule, publicly traded companies will be required to report cyber incidents within four business days of determining that the incident is “material,” meaning it would potentially impact a shareholder’s investment decisions. Additionally, public companies will be asked to continuously assess the effectiveness of their security risk management practices. As part of this, companies are required to publicly disclose the level of oversight by their boards of directors, and the role and expertise of management, in assessing security risks.
The goal behind this rule, which was first proposed last year, is to protect investors by informing them both about the security risk management practices and the cyber incidents impacting publicly traded companies.
“Currently, many public companies provide cybersecurity disclosure to investors,” said Gary Gensler, chair of the SEC on Wednesday. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
“I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”
When the rule was first proposed, several security experts voiced concerns about the four-day incident disclosure timeline. Within the new four-day timeline, organizations must file a Form 8-K describing the “material aspects” of the disclosed incident’s nature, scope and timing, as well as its material impact.
While advocates for the cyber rule hope that this timeframe will help shareholders make more informed decisions about their investments, critics say that the timeline is too fast for companies already grappling with the impacts of a cyberattack.
Harley Geiger, Counsel for the Center for Cybersecurity Policy and Law, said the four day disclosure will “change the playbook on cyber incident management for publicly traded companies.” Previously, said Geiger, the best practice for organizations has been to initially disclose security incidents only to those who are involved with incident response, containment and remediation efforts.
“We believe this creates a risk to companies, investors and consumers, when the incident is disclosed prior to being contained or mitigated,” said Geiger. “If [it’s disclosed prior to being contained or mitigated], this means the vulnerability allowing the attack to occur in the first place may still be exploited by other malicious actors, and the original attackers still in the system… can cause damage once they realize their cover has been blown.”
The government and security experts alike have long touted the benefits of incident response reporting, and many other reporting requirements, like the Cyber Incident Reporting for Critical Infrastructure Act, (CIRCIA) also exist. However, Geiger said that other requirements mandate more confidential alerts; under CIRCIA, critical infrastructure entities must report incidents to CISA, for instance.
“We believe this creates a risk to companies, investors and consumers, when the incident is disclosed prior to being contained or mitigated."
“We see the value in reporting cyber incidents,” said Geiger. “It’s helpful for threat intelligence and it gives greater insight into the threat environment. However, what sets this apart is the fact that the disclosure is public.”
In order to address these concerns, the SEC’s rule has been amended to narrow down the information that must be reported, so that only the material aspects of the incidents are publicly disclosed; and also to allow for a 30-day extension for companies if the disclosure of the cyber incident would impact national security or public safety.
The cyber rules also will require companies to be more transparent about their practices for assessing and managing security risks, and the material impacts of both those risks and previous security incidents. CISOs can be proactive and get ahead of the many requirements approved by the SEC by working with their legal and communications departments in order to craft descriptions of their security processes, said Geiger.
Companies must disclose this information as part of the annual Form 10-K filing, where they will also be required to describe the board of directors’ oversight of risks from security threats, and management’s role and expertise in managing material risks from security threats. The inclusion here of enterprises’ board of directors and leadership further pushes responsibility for organizational cybersecurity practices - once falling solely on the shoulders of CISOs - higher up the management chain.
“In general, the disclosures on identifying and managing cybersecurity risks and governance - including the oversight and expertise of the board of directors - are all potentially beneficial to promoting transparency to investors, in the context of security governance being increasingly important to corporate governance in all sectors,” said Geiger.
"Boards are realizing that cyber risk is business risk, and any security breach has the potential to significantly disrupt business operations."
Overall, boards of directors appear to be set on the course to embrace cybersecurity, with a 2021 Gartner report predicting that by 2025 the number of boards with dedicated cybersecurity committees will increase from less than 10 percent to 40 percent. A recent Proofpoint report found that boards are also shifting their perspective of cybersecurity; for CISOs, this could mean more support and resources.
"Boards are realizing that cyber risk is business risk, and any security breach has the potential to significantly disrupt business operations," said Ryan Kalember, EVP of cybersecurity strategy at Proofpoint and board member at the National Cybersecurity Alliance. "This has long been an area of struggle for directors, who have traditionally viewed cybersecurity as a technical issue. The good news is that perceptions are changing."
James Turgal, Optiv’s VP of cyber risk, strategy and board relations, said the hope is that boards of directors will shift their perspective of cybersecurity from a cost center and instead start “to understand that cyber risk is a business risk and that their perceptions will shift to view security for what it truly is: a business enabler.”
“The SEC’s approval also elevates the role of the board of directors in cybersecurity and risk management,” said Turgal. “Cyber resilience can only be achieved with company-wide involvement – from the boardroom to the mailroom. So, getting corporate boards more involved in cybersecurity is a major victory from a cultural standpoint.”
During a public session on the proposed rule, two commissioners cited concerns that the rule creates a compliance checklist for organizations that the SEC is not qualified to make, and that cyber-related risks are being elevated above other risks that impact companies’ financial performance and stock price, such as customer acquisition and retention, globalization, supply chain management and taxes. Despite these concerns, the SEC passed the cyber rules through a 3-2 vote, and the various disclosures required as part of the SEC’s approval this week will start in December.