What to really know about new SEC cybersecurity rules

It's not just incident reporting & a cyber expert on the Board

By now you've seen the countless articles bringing front and center the SEC's proposed new cybersecurity rules. I do believe there are aspects that are being focused on and others that are not that better characterize what's really going to be required of publicly traded companies after these take effect. Many articles on this development aren't digging in past the summary on the 1st page of the rules proposal (https://www.sec.gov/rules/proposed/2022/33-11038.pdf).

Let's break them all down.

Require current reporting about material cybersecurity incidents 

First up "...requiring registrants to disclose material cybersecurity incidents in a current report on Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident". Also added would be:

1. When the incident was discovered and whether it is ongoing;
2. A brief description of the nature and scope of the incident;
3. Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
4. The effect of the incident on the registrant’s operations; and
5. Whether the registrant has remediated or is currently remediating the incident.

Prerequisite: A company would need a near or full 24/7 detection and response capability, along with a level of forensics, to be able to properly discover, react, and then report this within a 4 day time frame. You'd also need legal counsel to help make the right decisions on if this is even an incident. An incident response plan (IRP) with clearly identified roles would enable this. Ideally, an IRP that's been through a table top exercise (TTX).

This is a significant requirement being outlined here and one that has a number of capabilities to be able to meet. It's not as simple as "being able to report in 4 days".

Policies and procedures to identify and manage cybersecurity risks

SEC is looking to "...require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy." Expanded it would expect:

1. The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
2. The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
3. The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
4. The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
5. The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
6. Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
7. Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
8. Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how. 

Prerequisite: Without citing a specific standard or framework, this would mirror the expectations of a program built on NIST CSF or other modern control based frameworks. A company would need a fully built and maturing cybersecurity program. One that starts with (and expects regular) risk assessment of the current state, establishing a target state, and crafting a roadmap to get from one to the next.

It's basic and direct.

Conduct a risk assessment, use 3rd parties to validate results, and establish a set of policies and process in a program to be governed. Points 4 & 5 are clear adoption of NIST CSF categories of "Protect, Detect, Respond, & Recover". The disclosures expected will require a level of detail on a company's overall cybersecurity program, it's governance, reporting, and maturation plans over time. Without an established program, it would be impossible to meet this requirement. It's more than just proving written policies are documented.

The SEC is looking for a program.

Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk

The proposed rule expects the "...disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies."

It's more than just the Board. In fact, the role of the CISO is established, filled, and who they report to, all must have cybersecurity expertise that's disclosed in filings. This means if the CISO reports to the CIO/CFO/GC, the expertise of that individual is disclosed.

1. Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
2. The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
3. Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.  

Prerequisite: Each company will need a CISO, a person the CISO reports to, and a Board with directors that individually or as an informed committee have cybersecurity expertise. A governance cadence will need to be established on how often and to cover topics specifically on "the prevention, mitigation, detection, and remediation of cybersecurity incidents".

I don't believe we'll see an influx of CISOs being handed Board seats. While there are a subset of CISOs in the community that will, many do not have the executive presence or depth in other areas that make a good independent director for a Board.

Conclusion

As this proposal moves forward and a date is established for compliance, it will be a serious lift for many. There are roughly 9000 publicly traded companies in the US under SEC guidance. With only 2/3 of the Fortune 500 even having a CISO, it's clear that there is a significant amount of work and talent needed to meet these new regulations.

Need to navigate these new SEC rules? Contact us at SideChannel.com