What are the new SEC rules on cybersecurity risk management disclosure?
The Securities and Exchange Commission (SEC) has introduced new rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
According to the SEC rules on cybersecurity, proposed amendments to already existing rules would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
The proposal would also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would further require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise if any.
Disclosure to be better informed
The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents. The new rule states that the disclosure would need to be made within four business days of the company determining that the incident was material.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler.Gary Gensler, SEC
“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
The SEC’s motivation behind the change
The reason behind the SEC’s rule change is to provide investors with more information about an organisations’ cyber risk. But this could mean increased planning and spending around cybersecurity within many US-based companies.
“Yes, companies will have to spend more on improving their security posture, but it will prove worthwhile in the long run,” said RiskXchange CEO Darren Craig.Darren Craig, RiskXchange
“The new rules are a game-changer because not only will security teams have the data and processes in place to assess a breach but will be in a better position to report the impact and rectify the damage.”
The SEC requirements around disclosing material cybersecurity incidents would require the filing of an amended Form 8-K. Other SEC rules require publicly traded firms to provide updated information about cybersecurity incidents that have already been disclosed. There’s also a requirement for the disclosure of a series of prior cyber incidents that have been found to have had a material effect on the company.
Cybersecurity experts are praising the new rules, stating that they will improve transparency and overall security. The current SEC rules on cybersecurity only encourage companies to disclose critical information of their own accord which means incidents are often reported late, or sometimes not at all. The new rules will change all that.
“Although we are unable to determine the number of material cybersecurity incidents that either are not being disclosed or not being disclosed in a timely manner, the staff has observed certain cybersecurity incidents that were reported in the media but were not disclosed in a registrant’s filings,” the SEC stated in its proposed rule change document.
A material incident
The SEC outlines a material cybersecurity incident as “an unauthorised occurrence on or conducted through a [company’s] information systems that jeopardise the confidentiality, integrity, or availability of a [company’s] information systems or any information residing therein.”
The SEC also provided examples of cybersecurity incidents that could fit the criteria for being material in nature:
- An unauthorised incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data.
- An unauthorised incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems.
- An incident in which an unauthorised party accessed, or a party exceeded authorised access, altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant.
- An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Full disclosure & fighting the threats
An important part of the proposed rules outlines a requirement for the disclosure of any board member who has expertise in cybersecurity. This not only highlights whether an organisation’s board has the right people in place but also ensures that cybersecurity is taken seriously and given the importance needed at a C-suite level.
Cyberattacks are increasing year on year. Verizon’s 2021 Data Breach Investigation Report (DBIR) states that phishing attacks are involved in 36% of data breaches. They also found that BEC and phishing attacks are the costliest causes of data breaches. The new SEC rules on cybersecurity will go a long way toward fighting these types of statistics.
Cybersecurity experts are in agreement that the adoption of the new SEC rules will have a positive effect on cybersecurity and help the fight against cyberattacks. “It’s about time new rules like this were put into action. The SEC is leading the way by helping companies across America fight the threat of cyberattacks. Let’s hope the United Kingdom and the rest of the world soon follow suit,” added RiskXchange CEO Darren Craig.
The SEC state that the comment period for the new rules will remain open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
Get in touch with RiskXchange to find out more about breaking down new SEC rules on cybersecurity risk management.
How RiskXchange can help
RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers.
With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.
RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyberattack by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.
Find out more here.