New SEC Cyber Risk Management Rules Made Easy

Click here to listen to this article via the BreachRx Blogcast

The US Securities and Exchange Commission (SEC) voted 3-2 this past Wednesday to adopt new regulations taking effect in December aimed at enhancing cybersecurity transparency and accountability for publicly traded companies. These regulations will require businesses to promptly report cybersecurity incidents with material impact, disclose their cybersecurity risk management practices, and detail cyber risk oversight at the board level. This will enable investors, as part of the larger market, to reward or punish companies for their cyber practices, particularly if they have a data breach.

The new measures have garnered a mixed reaction, with proponents applauding the push for better security practices while others express concern about the additional compliance burden. With over 180 laws globally and more added continually, however, companies take on ever-increasing risk by not proactively preparing for their requirements. Fortunately, the key aspects of the approved SEC rules and its implication for the cybersecurity landscape are readily manageable through a combination of existing best practices and technology automation.

The SEC’s Cyber Incident & Risk Reporting Framework

Under the new rules, public companies must notify the government and the public within four days of determining that a cybersecurity incident will have a material impact on their business operations, revenues, or stock price. The disclosure should include information about the nature, scope, and timing of the incident, as well as the likely material impact on the company’s financial condition and operations. This transparency aims to address information asymmetry between companies and investors and enable more informed decision-making.

A key aspect of this requirement is how the materiality of incidents is determined as that starts the four day clock. This vital factor is more of an art than an exact science in current best practice. It requires a meticulous evaluation of all relevant facts and circumstances, encompassing both quantitative and qualitative aspects. A proactive and timely materiality analysis is also paramount, even if full incident details are not yet available. Even incidents with low probabilities of adverse consequences can be deemed material if they pose substantial losses or liabilities. 

This crucial decision relies on the significance that a reasonable investor would attach to the information. Companies must consider potential impacts on their reputation, customer relationships, and competitiveness, along with the possibility of litigation or regulatory actions. Intellectual property theft, fraud, privacy law violations, and reputational risks are some of the material risks involved. By prioritizing the protection of their most critical assets, organizations can navigate the complexities of cyber incidents and safeguard their stakeholders’ interests. Understanding materiality and its significance is now a crucial step in a robust cybersecurity strategy for public companies.

The SEC directives follow a number of recent global trends in incident notification requirements from regulators. Similar to other recent laws, for example, the SEC does not require incidents involve personal identifiable information (PII) to make them material—they must be reported regardless of the type of data. Incidents under the rule can include one or more unauthorized occurrences on or through the organization’s systems that jeopardize their confidentiality, integrity, or availability or the data they store. Additionally, incidents on third parties systems are not exempt from notification; in other words, the materiality of an incident does not depend on the location or ownership of the relevant electronic systems. Further, the SEC appears to be looking for continuous reporting for incidents if the company is unclear within the four day timeline of its ultimate outcome.

In addition to the incident reporting requirement, the SEC approved directors that also require public companies to disclose their cybersecurity risk management, strategy, and governance in their annual filings. This includes providing details on how the board of directors oversees cybersecurity risks and identifying a committee or subcommittee responsible for oversight. How boards approach this requirement remains to be seen, given the dearth of real cyber expertise from members—typically pooled from CEOs, CFOs, and COOs—who sit on boards.

Ultimately, the SEC directives can more simply be summarized as four requirements, implemented largely through periodic reporting:

1. Report material cybersecurity incidents within four business days.
2. Inform shareholders of minor cyber incidents that, when combined, become material.
3. Detail policies and procedures for identifying and mitigating cyber risks.
4. Describe risk governance processes.

By making these disclosures mandatory, the SEC aims to encourage companies to prioritize and invest in cybersecurity measures and ensure effective risk management strategies are in place. And with a generous four day reporting requirement over the more typical seventy-two hours of most laws and 90 additional hours over the most onerous, the SEC has clearly aimed for reasonableness in its approach. Some companies, however, remain apprehensive about the directive.

Concerns and Perceived Challenges

Despite the positive intent behind these regulations, some organizations and industry stakeholders are still expressing concerns about the potential increased compliance burden and the risk of disclosure aiding cyber criminals and malicious attackers. Businesses argued for a number of exemptions prior to the directive’s adoption, including arguing that disclosure of incidents would potentially tip-off threat actors, putting law enforcement and national security at risk. 

In the end, the SEC didn’t include an automatic law enforcement exception in its final rule. The SEC did provide a process whereby the US Attorney General may submit a written request for a delay of 30 days, which could be extended, if a disclosure would significantly impact public safety or national security. Additionally, companies are not required to disclose specific technical details of incidents, greatly reducing the risk of aiding attackers. This process should reassure organizations that their sensitive information will be protected.

Furthermore, the final rule excluded a proposed requirement on identifying specific board members with cybersecurity expertise. Given board member backgrounds are public, and the committee responsible is required to be reported, the equivalent information is already readily available to regulators and investors. Board oversight, including member expertise, is likely to be more deeply examined when material incidents are reported. This should drive organizations to focus more strategically and ideally more proactively on cybersecurity.

While the new regulations may create additional compliance efforts, they also present unique opportunities for companies to improve their security posture and build investor trust. By disclosing cybersecurity risk management processes, companies can arm investors with valuable information, which may prompt better security practices. Furthermore, the increased transparency will foster more consistent and predictable cybersecurity disclosures, leading to greater comparability among companies’ security measures.

Implement Incident Response Automation to Comply

The SEC’s approval of these cybersecurity requirements marks a significant step in advancing cybersecurity practices and risk disclosure standards in the corporate world. As the threat landscape continues to evolve, these regulations will likely play a crucial role in enhancing the overall security posture of public companies. And regardless of perceived implementation challenges, existing technology automation like the BreachRx incident response platform and Cyber RegScout™ directly fulfill these requirements and can significantly reduce the burden of these and similar compliance requirements for businesses.

Technology automation can help organizations to comply with this and other regulations by automating incident response planning and testing. Proactive preparation conclusively saves nearly $1.5M during an average-sized incident response. Similarly, running tabletop exercises and practice simulations delivered a measured savings of $2.66M per incident. And these aren’t the only beneficial outcomes. Incident response automation brings additional advantages beyond covering regulatory notification requirements. For example, it streamlines the ability of teams to collaborate and respond to incidents with greater accuracy and speed, minimizing the impact of incidents and reducing downtime and data loss. It also enables more rapid compliance with the criteria in popular global cybersecurity frameworks, like SOC 2, ISO 27001, and the NIST Cybersecurity Framework.

Ultimately, automation enables organizations to act decisively in the event of a security incident, separate what matters from the nonessential, and prioritize their response efforts across the entire business. Through technology, as in other parts of the business, teams reduce risk and increase cyber resilience with technology that addresses incident response.

Outlook

With the SEC’s approval of new cyber reporting regulations for public companies, cybersecurity continues to move to the forefront of corporate governance and disclosure practices. These regulations represent a decisive move towards greater transparency and accountability, allowing investors to make more informed decisions while encouraging companies to strengthen their cybersecurity posture. While there may be apprehension about complying with these new rules, the potential positive impact on investor confidence and the overall cybersecurity landscape cannot be ignored. 

Further, given cyber threats continue to evolve, staying vigilant and proactive in safeguarding sensitive and customer data is no longer a secondary concern but a top priority for businesses operating in the digital age. Fortunately, technology automation can readily augment best practices to rapidly position companies to cover this directive and the myriad other regulations around the world. As the business world implements the SEC requirements, we can expect to see heightened cyber resilience and improved risk management strategies across industries, creating a safer digital environment for everyone.