Corporate risk and compliance officers already labor under an influx of concerns related to cybersecurity, so you might have missed this latest news: the U.S. Securities and Exchange Commission has proposed new rules for more disclosure of cybersecurity issues.
For now, these proposed rules are just that: proposals. They are not final rules going into effect today, where public companies need to revisit their processes for documenting and disclosing cybersecurity events immediately. But enhanced disclosure rules are coming sometime soon. Compliance and risk officers would be wise to consider what the SEC is trying to achieve here, and the implications for your risk oversight duties.
We can divide the SEC’s proposed rules into two parts.
First, public companies would need to disclose their broad approach to managing cybersecurity risks (in the annual report), including:
- The policies and procedures used to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
Second, companies would also need to disclose “material cybersecurity incidents” within four days of deciding that a cybersecurity lapse is indeed material, via a Form 8-K filing.
We don’t know what the final version of these proposed rules will be, and we won’t for at least several months yet. Still, you can already see the broad goal that the SEC is trying to achieve.
The SEC is trying to drive better oversight of cybersecurity risks by pushing companies to be more forthcoming to investors about how those risks are managed.
That will have big implications for how the board, risk management, compliance, and IT security teams approach cybersecurity.
First, Risk Oversight
We can begin with those proposed annual disclosures of how the company manages cybersecurity risks. The key is the third bullet point above: reporting the board’s oversight of cybersecurity.
For a long while now, the SEC and many other prominent voices in corporate governance have said that the board should be responsible for assuring cybersecurity risks are addressed. The SEC’s proposed rules bring that demand into sharp relief – because if the board doesn’t take responsibility for cybersecurity, the company will need to disclose that too – and it’s not a flattering look in front of investors.
So, the very first step will be for senior executives and key risk assurance leaders (compliance officer, risk officer, CISO, perhaps the general counsel) to have a frank conversation with the board: “Some committee here needs to be responsible for cybersecurity; and that committee will then need to review and approve our cybersecurity plan.”
It may well be that your board doesn’t have members with sufficient cybersecurity expertise. In that case, another conversation needs to happen about recruiting such a person (or persons).
The next conversation will need to address the company’s tolerance for cybersecurity risk, and the roles and responsibilities of executives charged with managing cybersecurity on a daily basis. These are the other two bullet points above.
To some extent, this second conversation will be similar to other conversations about anti-corruption risk, or compliance risk generally. How much tolerance for this risk is the board willing to accept? How will management then develop a program to keep that risk within those tolerance levels?
These are good conversations to have, but remember the broad goal here: getting the board to assure that in-house executives are managing risk to the proper extent. The SEC has done this before with, say, financial reporting risks; the Justice Department has done it before with anti-corruption risk, via its many pieces of guidance about effective compliance programs.
Now the SEC wants to do the same for cybersecurity risk. Boards, CEOs, and the leaders of Second Line functions including IT security, legal, and compliance will need to figure out a game plan.
Second, Questions on Materiality
Companies will have a more pragmatic challenge, too. One SEC proposal is to require disclosure of “material cybersecurity incidents” within four days of deciding that a breach was indeed material.
Well, what process will your company use to decide that? More precisely, what objective, reliable, repeatable process will the company use to decide materiality, when cybersecurity events can come in so many forms?
The SEC doesn’t offer many specifics on how to answer those questions. Under federal securities law a material fact is anything that, when disclosed, “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available” – but applying that standard to many cybersecurity incidents will not be easy.
That analysis will require a blend of forensic capability, where you gather information about exactly what was breached; plus, an objective legal analysis of whether those facts pass the materiality test; sprinkled with a dash of ethical values: “Is this something we should disclose to investors, even though we’ll take a beating in the markets?”
If you don’t develop a rigorous process for this assessment – that is, if the company relies on management whims and best guesses from one quarter to the next – the potential for poor decisions goes up immensely. The wiser move will be to define policies and processes for a structured assessment of materiality.
Perhaps you can rely on cybersecurity frameworks to guide you as you develop those things; perhaps you can develop them internally with careful discussion and deliberation. But the ideal result will be a formal process that compliance, risk, legal, and IT security teams understand and follow.
Then, if everything falls into place, you have a board properly engaged in overseeing cybersecurity risk, and a defensible process to inform investors when you suffer a cybersecurity incident.
Whatever the final form of the SEC’s proposed rules might be, those two results will be worth having.
To learn more about the cybersecurity threat landscape and how to maintain compliance, check out the “Ransomware Attacks in 2022: Compliance Lessons Learned” webinar.