A revised set of proposed SEC guidelines for public company cybersecurity disclosure was released in 2022. Public businesses’ cybersecurity-related business activities, decision-making processes, and the Board’s new role in oversight would all be subject to heightened SEC scrutiny under the proposed regulations.
Boards are becoming more aware of the importance of participating in cybersecurity monitoring. Not only are the repercussions concerning, but new regulations are raising the stakes and altering the game. As part of their fiduciary and supervisory responsibilities, boards ensure effective cyber risk management. As cyber threats grow and firms worldwide expand their cybersecurity budgets, the regulatory community, including the SEC, proposes new standards that businesses must be aware of as they strengthen their cybersecurity strategy.
In March 2022, the SEC issued a proposed regulation titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rules would boost SEC scrutiny of public businesses’ cybersecurity-related activities, decision-making processes, and the Board’s expanded role in cybersecurity oversight.
These proposed rules demonstrate the SEC’s growing emphasis on cybersecurity, going further than any other federal agency in imposing requirements on public businesses and their boards of directors. One of the most important new requirements requires the Board of Directors of public companies to oversee and participate in the evaluation, assessment, and implementation of cybersecurity policies and procedures. The proposed standards also establish more stringent and consistent guidelines for organizations to follow when disclosing and supplementing “material” cybersecurity events.
Hundreds of comments were filed during the consultation period for these rules, which ended on May 9, 2022. While it has yet to be discovered when the rules will be completed or effective, corporations and their boards should begin preparing now, given the considerable changes anticipated to be included.
What are the critical requirements of the SEC rules?
The following are the primary requirements if the SEC adopts the rules in their proposed form:
- Notify the SEC of any “material cybersecurity incidents” within four days, as well as any previously classified “non-material” incidents that, when added to others, become “material” in the aggregate.
- Updates on previous events should be included in regular SEC filings, and the corporation should explain its cybersecurity risk management system and the Board’s role in regulating this issue.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler. “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
What do the new SEC rules mean for businesses?
Board members must improve their cybersecurity portfolio to give effective oversight and comply with the regulatory environment. It is no longer enough to hear about new security measures or the findings of the latest phishing exercise.
Board members must assume that cyber-attacks are possible and use their oversight responsibility to ensure security managers have established enough measures to respond and recover. Let’s assume that every organization is at risk of being breached and that it is impossible to be completely protected from every attack. The most logical approach is to ensure that the organization can recover with little or no damage to operations, the financial bottom line, or the organization’s reputation.
In light of the above discussion, the new regulations will require companies to establish and maintain reasonable cybersecurity practices, disclose those practices in public documents, clarify how their senior leadership effectively oversees those programs, and report cybersecurity incidents in a way that provides appropriate information to shareholders.
While the new standards are more specific and possibly burdensome than previous requirements, they will clarify and reinforce previous guidance and the outcomes of prior SEC enforcement. Finally, the new regulations will specify incident reports’ content, time, structure, and periodic disclosures. The new guidelines also compel corporations to document their cybersecurity and risk management plans.
What should companies do to prepare?
Follow these steps to ensure that your Board provides adequate oversight of cybersecurity programs and satisfies the new SEC requirements.
Review cybersecurity and risk management documentation.
Since upgrading cybersecurity and risk management systems can be lengthy, companies should begin examining and updating these programs immediately. Changes in the IT/OT infrastructure, mergers and acquisitions, the evolving threat landscape, and recent security events should all be monitored closely by businesses.
Educate your Board of Directors.
With all the new monitoring duties imposed on the Board, it must ensure that it is equipped to oversee the company’s cybersecurity and risk management policies and processes. However, few Boards have historically been given adequate information to undertake this role. Find out if the whole Board or a smaller committee will supervise and ensure they know what they’re in for.
Review your incident response plans.
We advise all businesses to assess their incident response plans in light of the new regulations. The members of your incident response team must be familiar with the necessary reporting protocols in order to know when and how to escalate a situation. The incident response plan should outline a clear escalation strategy for bringing up serious or material issues with top management and the Board. The Board needs to be briefed on the incident response plan before participating in a tabletop exercise meant to replicate a real-life crisis.
Determine what “material” means to your organization.
The company’s legal department and, if necessary, senior leadership should make the call on whether a cyber incident meets the threshold for “materiality,” requiring reporting within four days. The company must ensure that the legal team and senior management, who will make “material” decisions, are reachable through the appropriate channels in the incident response plan and the operating environment.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us https://itegriti.com/contact/
ITEGRITI Services https://itegriti.com
Never miss an insight. Click here to follow ITEGRITI on LinkedIn, and our insights will appear in your LinkedIn feed upon publication.