Earlier this year, the Securities and Exchange Commission proposed rules requiring public companies to say more about handling cybersecurity issues. Today, we’re examining those proposals — because even if you’re not a publicly-traded company, the SEC is driving at a question every modern organization needs to consider:
How should senior executives and boards manage cybersecurity risks?
The SEC’s proposal approaches that question from several different directions. Some proposed requirements urge a company’s board to communicate its plans to govern cybersecurity. Others are more relevant to the CISO, such as disclosing “material cybersecurity incidents” within four days of determining that an incident is material. (Nevermind that materiality can be an enormously subjective decision that needs input from security, legal, compliance and other business functions.)
The SEC’s objective here is to give investors more visibility into the cybersecurity issues that a business is facing so that investors can make more informed decisions about whether to invest their money. That’s a laudable goal, but also consider the larger canvas: having such visibility into risk is helpful for any organization, publicly-traded or otherwise. Hence, the SEC’s plans are worth a close read.
The SEC’s proposed reporting requirements for public companies — so far
The SEC’s proposed requirements fall into two categories. First, every year in its annual report, a company would need to describe:
- The policies and procedures the company uses to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
- The board’s cybersecurity expertise (if any) and its oversight of cybersecurity risk
Second, the company would also be required to file an additional disclosure whenever it suffers a material cybersecurity incident. The company would need to make that filing within four days of determining that an incident is indeed material, not within four days of its occurrence. Those disclosures would include details such as:
- Incident discovery date and time and whether the incident is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed or used for other unauthorized purposes
- The effect of the incident on the company’s operations
- Whether the company has remediated or is in the process of remediating the incident
Then, as part of those annual report disclosures mentioned above, the company would also need to include updates about its previously disclosed material cybersecurity incidents.
These proposed requirements are still only that: proposed. The SEC posted them for public comment and has received extensive feedback. Whatever final rules the SEC adopts (expected sometime later in 2022) could look quite different from these proposals.
That said, even if the SEC never moves ahead with a final rule for expanded cybersecurity disclosure, the issues it has raised are ones that every organization should be able to answer to conduct business in the modern landscape. C-suites and boards should welcome the discussion the SEC has raised, no matter what.
Cybersecurity risk management is essential to business strategy, not as an afterthought
As the SEC’s cybersecurity plans become more apparent, CISOs should address the fundamental issue of building risk management capabilities that meet their organization’s cybersecurity needs.
For example, these proposals don’t declare that a company must have a cybersecurity expert on its board nor specify how a company will identify cybersecurity risks. Theoretically, a company could say, “We don’t have any cybersecurity expertise on our board, and we only alert the board to material incidents in the quarterly briefing.”
Those are terrible answers, but they wouldn’t be illegal. They would, however, make your company’s poor governance choices stick out like a sore thumb, which is the whole point. By forcing companies to disclose how they handle cybersecurity, the SEC is pressuring companies to consider whether those practices are adequate or need improvement.
For many organizations, the answer is still “needs improvement.” Companies may be adept at the practical steps necessary to comply with numerous cybersecurity regulations — sending questionnaires to employees and third parties, testing internal controls, remediation steps and so forth — but they struggle with strategic issues. For example, how can CISOs deconstruct the cybersecurity challenges that might spring from the board’s business strategy? And then, how do they develop efficient techniques to keep those risks manageable?
Of course, all companies want to develop a better strategy — the question is how. CISOs will play a critical role in developing strategies to mitigate cyber risk. Understanding the proposed requirements can help CISOs frame the issues that boards, senior management and even CISOs must consider. For example:
- How does the board want to be briefed about cybersecurity risks? What does it want to know, and how often?
- How will the management team assess cybersecurity risks that arise from our operations? How can the c-suite embed cybersecurity concerns into business objectives and strategic planning?
- How can the company identify a material cybersecurity incident? How does the security team collaborate with legal and operating units to define that understanding?
Publicly traded companies will need to be able to answer those questions to satisfy the SEC’s forthcoming cybersecurity regulations. Private companies planning to go public will need to answer those questions in preparation for an IPO. Companies not planning to go public should answer those questions to be a more desirable third party to public companies concerned about third-party cybersecurity risks. In every way that matters for CISOs in today’s world, contemplating the cybersecurity risk management questions raised by the SEC is a valuable exercise.