What are the changes from the current rules?
Current regulations require publicly traded companies to make disclosures regarding their business and operations, risk factors, legal proceedings, and corporate governance among other things.
They do not specifically require disclosures related to cybersecurity incidents or board involvement in cybersecurity governance, although information may be provided if deemed particularly relevant.
The proposed rules would require disclosures about an organization’s cybersecurity risk management, strategy, and governance. They would also require timely notification of material cybersecurity incidents.
Who would the proposed rules apply to?
The proposed rules would apply to publicly traded organizations that are subject to the reporting requirements of the Securities Exchange Act of 1934. These organizations are required to periodically file reports and certain proxy statements with the Commission.
Why has the SEC proposed new rules?
There is an increased dependency on technology in our daily lives. This means more and more sensitive information is reliant on technology and needs protection by the organizations with which it has been entrusted.
When a material cybersecurity incident occurs at these organizations, there is no consistency in the timeliness of reporting or the information that must be provided about the incident.
Also, there is a lack of information about how organizations manage cybersecurity risks.
The purpose of the new rules is to standardize cybersecurity disclosures so that investors can have access to relevant information.
Key requirements if the rules are adopted
If adopted, the proposed rules will enhance or amend several of the current reporting requirements. These are primarily:
- Reporting of material cybersecurity incidents within four days
- Provision of updated disclosure in periodic reports about previously reported cybersecurity incidents
- Description of the organization’s policies and procedures, if any, for identifying and managing risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation
- Disclosure about the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the organization’s cybersecurity policies, procedures, and strategies
- Disclosure of whether any member of the organization’s board has expertise in cybersecurity, and if so, the nature of such expertise
This information would be provided on forms that are currently required, such as: Form 10-K, 10-Q, 20-F, 8-K, or 6-K, and proxy statements.
How organizations should prepare
The first step is for the board of directors to recognize that good cybersecurity governance is a journey, not a destination. As threats and technology evolve, security programs must adapt.
Boards need to fully understand the financial, reputational, and market impact a cybersecurity event could have. Depending on the organization, it may be useful to engage a third party to help facilitate this understanding. One or more board members should be given responsibility to oversee the cybersecurity of the organization and it should be added to the board meeting agenda. The individual(s) will ideally have cybersecurity, governance, risk, and compliance expertise.
Next, an objective assessment of security across the organization’s people, processes, and technology will help to understand its current security posture and governance. If this is to be done in-house, assessors should be independent of all functions and qualified to conduct the assessment.
The results of this assessment should be reported back to the board highlighting areas of strength and weakness. From these results, a plan of action should be developed to address areas of weakness and align resources.
Updates on the status of the actions should be included in the board meeting agenda along with information about ongoing governance, risk, and compliance initiatives.
The proposed rule is currently undergoing review by OIRA (Office of Information and Regulatory Affairs). It is anticipated to be finalized in the first half of 2023. A link to the proposed SEC rule can be found here: Proposed Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Start your journey to compliance today!