After more than a year of debate, the SEC has published profound cyber disclosure and risk management rules for public companies. These rules are not just another set of cyber regulations. What Sarbanes-Oxley (SOX) accomplished with financial oversight, the new SEC cybersecurity disclosure rules will similarly jumpstart a transformation in the enterprise-wide management of and reporting on cyber risk.
What Are the SEC Changes?
The SEC is changing reporting requirements in three key ways:
- Material incident disclosure: Companies must disclose “material” cyber incidents within 4 days of determining that an incident was material. There are limited exceptions for national security. This manifests as a new section 1.05 on 8-Ks.
- Cyber risk management: Companies must disclose processes for identifying, assessing, and managing material risks from cyber threats. This includes risks from past cybersecurity incidents that could materially affect the company. This is detailed in new Item 106 in Regulation S-K.
- Board cyber oversight: Companies must also describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
What Are the Implications?
Fundamentally, the rules drive a sea change in cyber visibility and transparency. Suddenly, corporations must show investors robust methods for proactively managing cyber risks, evaluating and assessing the business impact of cyberattacks, and governing cyber at the highest levels of the company.
The rules are also about executive accountability. Although the SEC did not mandate board-level cyber expertise, the requirement to describe the board’s cyber role will force executives and directors to become far more conversant in and comfortable with cybersecurity.
Related, the rules are about risk management rigor. By demanding visibility and mandating disclosures, the SEC is essentially telling companies: We expect you to have comprehensive, deep approaches for managing and mitigating cyber risks, and we expect the officers of the corporation to have some accountability for that.
Explore expert Risk Management solutions that solve real-world problems
Understand emerging threats, changing regulations, and evolving technologies – then formulate an actionable, pragmatic cybersecurity strategy to reduce risk across the digital ecosystem.
What Should Companies Do?
There are three big themes. First, get organized:
- Organize the players. These rules stretch beyond the CISO or VP, Information Security. SEC filings typically sit with the Chief Accounting Officer or in Finance. Disclosing an incident requires Legal at the table. And the Chief Risk Officer or head of enterprise risk management will need to ensure cyber risk is managed consistently with other top organizational risks. Companies should get these stakeholders together early, perhaps as a tiger team to oversee the company’s compliance efforts with these rules.
- Baseline and plan for compliance. The tiger team’s first step is a quick assessment to figure out the biggest gaps between existing cyber risk and disclosure processes and the SEC’s requirements. The assessment should generate prioritized actions to rapidly ensure compliance.
Second, set the foundation:
- Define cyber materiality. This is fundamental to rules compliance. Companies should start with existing corporate definitions of materiality as reported to the SEC in other domains (e.g., finance). Then, incorporate proven methods for quantifying or articulating the business impact of cyber risks (e.g., the FAIR methodology).
- Create a uniform cyber risk picture. Underpinning the rules is the phrase “risk from cyber threats.” Companies need a singular, shared picture of the top cyber risks facing the company. This can manifest in a risk register, heatmap, or similar artifact, and becomes the “what” (actual risks) that informs the “how” (processes and procedures) of cyber risk management and disclosure.
- Strengthen cyber risk management. This is the hard work of updating or building cyber risk management policies, procedures, and governance mechanisms. This will look different for each company, but there are two universal goals: First, to have robust practices for the entire cyber risk management lifecycle (risk identification, risk prioritization, risk mitigation, and risk monitoring). Second, to clearly govern that lifecycle with the right organizational entities and levels involved at clear and clearly appropriate times – including the C-suite and the board.
Third, engage – internally and externally:
- Educate executives and directors. Cyber has become a management and board topic but often remains technical, jargon-filled, and inaccessible to business leaders. This must change. Companies should implement hands-on learning sessions to raise institutional cyber IQ, paint a simple picture of cyber risk, and – easier said than done – agree on when and how executives and the board will engage on cyber risk management.
- Don’t go it alone. No one knows exactly what “good” compliance looks like yet. Companies should work with trusted peers to share approaches and best practices. Corporations can also look to cyber-related coalitions, like industry information-sharing and analysis centers (ISACs), of which they may are already members, to share what is and is not working.
To stay ahead of the SEC cyber rules curve with thoughtful, proactive cyber strategies, contact CrossCountry Consulting.