How to Prepare for the SEC’s New Cybersecurity Disclosure Rules
Earlier this year, the Securities and Exchange Commission proposed new amendments to its cybersecurity disclosure rules. In its March 9 press release, the SEC stated that, “These amendments will “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.”
What does the SEC’s New Cybersecurity Rule Say?
The SEC’s views on disclosure have changed to reflect the rapidly increasing risk of cybersecurity and the information needs of investors. Many public companies provide cybersecurity disclosure to their investors, but taken as a whole, these disclosures are often incomplete and inconsistent. The SEC intends to standardize disclosure requirements, providing investors timely, relevant information in “a consistent, comparable and decision-useful manner.” They’re also serving notice of increased accountability for boards and senior management.
The proposed amendments include:
- Current reporting on material cybersecurity incidents
- Periodic reporting on policies and procedures to identify and manage cybersecurity risk
- Board oversight of cybersecurity risk
- Management’s role and qualifications to assess and manage cybersecurity risk, and implement robust policies and procedures
- Annual reporting on the board’s cybersecurity expertise, if any
What follows is an overview of what the boards and management of public companies should do to comply with these new requirements. All companies, public or private, need a strategy for cybersecurity risk management. The cost of devising and maintaining a dynamic, programmatic approach is a fraction of the cost of dealing with the fallout of a successful cyberattack.
Determine whether you have appropriate cybersecurity expertise on the board
The SEC wants registrants to disclose the specific details of their directors’ cybersecurity expertise. This compares to naming financial experts who serve on a board’s audit committee and detailing their qualifications. While the SEC hasn’t specifically defined cybersecurity qualifications, it does list relevant experience, credentials and certifications. These include experience in information security, security analysis or audit, architecture, engineering, operations and incident response, and business continuity planning.
The proposed new rules note that listing these directors as experts neither increases their liability nor reduces the responsibilities or liability of other board members. The SEC clearly sees that cybersecurity is now a mission-critical function and responsibility. In their view, strengthening expertise at the board level will support more robust policy and a better understanding of cyber risk. You must now disclose all of these actions in your annual reporting.
Establish a cybersecurity risk management program
Managing cybersecurity risk has to be part of your strategy, financial planning and capital allocation. The SEC proposes that public companies detail all policies and procedures to identify and respond to cybersecurity risks or attacks. These include operating risk, IP theft, fraud or extortion, risk to employees or customers, invasion of privacy or other legal risks, and reputational damage. Complete, updated documentation will be key to compliance.
According to the new rules, your company must disclose whether it has a cybersecurity risk assessment program in place and you must describe it. Details should include information about any consultants, auditors or other entities who work on your program. If you have third-party service providers, you must now detail your policies and procedures to manage cybersecurity risk associated with their work for you.
Moving forward, your cybersecurity risk management program should include an active posture to prevent, detect or minimize the damage of cybersecurity incidents. This requires documented, detailed plans for business continuity, contingency, and recovery in the event of a cyber incident. Furthermore, you must learn from any failures and disclose resulting improvements. Any cybersecurity incidents that occur should drive appropriate changes in your governance, policies, procedures, and IT. You will also be required to disclose any risk or incidents that affect or are likely to affect your company’s operations or financial condition.
Develop your cybersecurity policies, procedures, and controls
The SEC last issued cyber risk guidance for public companies in 2018. Recognizing that the risk has increased substantially, the new rules are more demanding. Some public companies have made meaningful enhancements to their cyber risk management and cyber governance. Other companies will simply have to level up. The SEC intends to effect more uniform disclosure of public companies’ strategy, controls, and obligations. This transparency will serve investors, analysts, advisors, and portfolio managers while making corporations more accountable.
Moving forward, companies must disclose their cybersecurity governance at both the board and management levels. This disclosure lists specific obligations and duties. Who is responsible for cybersecurity risk — the board, individual directors, or a committee? Note these details along with a description of how the board learns about cybersecurity risks (and how often directors discuss the subject).
Your disclosure should also detail the board’s approach to cybersecurity risk. Do you have a chief information officer or other designated member of senior management to assess and manage the risk? You’ll also need to provide process specifics on overseeing incident prevention, detection, containment, and remediation.
Track cybersecurity incidents and understand their materiality
The SEC’s proposed Form 8-K amendment now requires companies to disclose the facts about material cybersecurity incidents within four business days of discovering a material incident. This is a major increase in responsibility.
In the event of a breach, your Form 8-K amendment must disclose when the company discovered the incident and if it was contained or is ongoing. You must note if the cyber attackers stole or altered data, detailing the incident’s effect on operations and what the company is doing in response. Boards and their management now have to understand materiality and disclose the impact on the company’s financial conduction, which includes providing projected short- and long-term losses from any incident. The potential effects of a cybersecurity incident can start with a drop in your market cap, but that may only be the prologue. You’ll need to calculate potential damages that include lost revenues, fines, penalties, and litigation. Your business continuity may also be affected. You should also estimate reputational damage and how you expect customers, partners, and vendors to respond.
In the past, boards and senior management would often proceed as though cyber insurance had transferred their burden of risk to a third party. This is no longer a viable course of action. The increase in incidence and severity means that insurers no longer accept this risk transfer. Boards should now assume that their companies are self-insured for most cyber risks and the attendant costs of incidents. Doing this will force an in-depth assessment of their internal controls and corporate policies.
Your strategy for managing and disclosing material cyber incidents
As the SEC finalizes its disclosure rules, public companies must acknowledge the inevitable and make preventive controls central to their cyber risk management. Windham Brannon offers a suite of virtual Chief Information Security Officer (vCISO) services that align cybersecurity risk management with your business strategy and risks.
Windham Brannon can work with your board and senior management to assess your current cybersecurity governance. Once we define where you are, we’ll work with you to help you move toward where you need to be. This includes strategic guidance for senior management and in-depth planning, program design, staff training and ongoing monitoring. Cybersecurity risk is a moving target, and the SEC now expects you to embrace a new regime of ongoing assessment, optimization and reporting.
To discuss your company’s approach to cybersecurity risk and we can help strengthen it, talk to your Windham Brannon advisor.
