The Securities and Exchange Commission (SEC) proposed rules are intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy and governance, as well as all cybersecurity incident reporting, by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
Specifically, the proposal would include:
Incident reporting: The proposal requires companies to disclose information about a cybersecurity incident within four business days of the company determining that it has experienced a material “cybersecurity incident.” A Form 8-K filing is required to report material cybersecurity incidents, including the following items, among others:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any unauthorized purpose
The proposal rules also require companies to provide updates on previously reported material cybersecurity incidents in periodic filings.
Risk management, strategy and governance: Required periodic disclosures regarding, among other things:
- A company’s policies and procedures to identify and manage cybersecurity risks, if any
- Management’s role in implementing and managing cybersecurity policies and procedures and its involvement in assessing and managing cybersecurity risk and cybersecurity policies, procedures and strategies
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
- Whether the company engages assessors, consultants, auditors, or other third parties
Why it is needed:
“Cybersecurity risks and incidents can impact the financial performance or position of a company. Consistent, comparable, and decision-useful disclosures regarding a company’s cybersecurity risk management, strategy, and governance practices, as well as a company’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a company’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.”¹
Proposed SEC requirements:
Determining materiality of an incident:
In order to understand the materiality of a cybersecurity incident, CISOs need to have an overarching understanding of both cybersecurity and forensics as well as business processes. Utilizing the right tools, analytics, and cross-enterprise relationships will lead to a more informed decision about the materiality of a cyber incident.
“Information is defined as material if there is a substantial likelihood that a reasonable shareholder would consider it important in an investment decision.” ¹
Under the proposal, it’s important to note that a series of previously undisclosed individually immaterial cybersecurity incidents can become material in the aggregate.
Considerations:
- The incident compromised the confidentiality, integrity, or availability of the information.
- The incident violated the company’s security policies and procedures.
- The incident caused degradation, interruption, loss of control, damage to, or loss of operational technology.
- An unauthorized party accessed, altered, or stole sensitive business information, personally identifiable information, intellectual property, etc.
- An incident in which a malicious actor has offered to sell or has threatened to disclose sensitive company data.
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Disclosure trigger: The trigger is the date the company determines that the incident is material, and not the date of discovery of the incident. This focuses the Form 8-K disclosure on incidents material to investors.
Key groups responsible:
Roles and Responsibilities
CISO - Responsible for leading the response to the material incident. Have a direct line of communication with legal team and board of directors. Works with other stakeholders like legal team, board of directors, risk team, and rest of c-suite to determine materiality.
C-suite - Works with CISO and board of directors to orchestrate an effective communication and response plan. Provides company oversight and assists with strategic decision making.
Board of Directors - Provide oversight and guidance to determine materiality, response and recovery. Maintain communication with CISO throughout entire process. The CISO, Legal team, Risk team and Investor Relations should now have representation within the board of directors for effective reporting and response.
Legal team - Collaborate with CISO, Disclosure Committee and Risk team to confirm that reporting regulations are being properly adhered to. Review to verify reporting requirements are met before submission.
SEC - Receive notification of submission of material cybersecurity incident.