SEC Amendments Make Cybersecurity Disclosure a Board-level Issue
The SEC released its final rule on Cybersecurity Risk Management, Strategy, Governance and Incident Response on July 26, 2023. With the final rules, public companies will be required to report material cybersecurity incidents and cybersecurity risk management processes in a standardized manner, subject to specific timelines in order to provide greater comparability of disclosures. Phased enforcement of the requirements begins December 2023.
To better understand what the SEC disclosure rules and the announced amendments mean for organizations, C-suite executives, and Board-level stakeholders, RadarFirst CEO Don India met with privacy, cyber, and risk experts Dominique Shelton Liepzig, Partner, Cybersecurity & Data Privacy at Mayer Brown, John Ablan, Partner, Corporate & Securities at Mayer Brown, and Chris Hetner, Sr. Executive Board Director, Former SEC Chair, Sr. Cybersecurity Advisor, CISO to investigate why the SEC amendments make cybersecurity disclosure a Board-level issue for RadarFirst Investigates.
About the SEC Disclosure Rules Amendments
Analysis of the disclosure rule amendments indicates that SEC regulators are not attempting to influence how organizations conduct risk assessments, they’re only asking for organizations to report on their processes. Per the SEC’s press release announcing the amendments:
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” said SEC Chair Gary Gensler.
With transparency into how organizations conduct risk materiality assessment of cyber incidents, investors can be better informed about an organization’s security maturity. The SEC amendments do not prescribe any particular cybersecurity policy they hope organizations adopt.
Within the amendment, a new item for form 8-K was created that asks companies to disclose cybersecurity incidents that have been determined as material and the impact, in respect to their financial condition, within 4 days of the company determining materiality of the incident.
Registrants are not required to disclose specific or technical information in the 8-K, nor are they required to disclose if particular data has been breached or where they’re at in their resolution process. However, organizations must determine if an incident is material without undue delay.
If information isn’t available within a 4-day window, issuers can omit the information through an amendment and they must continue to try to determine materiality without undue delay. A longer delay can be permitted if immediate disclosure could include danger to national interests.
Additionally, registrants will be required to disclose the processes used to identify and assess cybersecurity incidents for materiality. They’ll also have to describe the Board of Directors oversight of evaluating said cybersecurity risk. The disclosure does not require the frequency of board discussions to occur nor does it require disclosure of any appointed expert’s credentials as a cybersecurity expert.
Organizational Impact for C-level and Board
Experts from the RadarFirst Investigates panel agree that the new legislation is going to raise the bar on how cybersecurity flows upward to the Board and how it impacts risk management across organizations. In light of the SEC reporting amendments, Boards and C-suites need to understand the importance of reporting on governance issues and the impact they have company-wide.
“This represents a seismic shift in how we govern overseas cyber from the top of the house.” -Dominique Shelton Liepzig
When it comes to investor management, organizations must think about the maturity of their cyber programs. As any incident reported in a 10-K could cause investors to look back through your organization’s history of cybersecurity to assess your program’s maturity, Boards need to be asking questions about where your organization sits on cyber preparedness and maturity.
Having a resilient cyber-preparedness program ahead of filings can help prove to investors that the Board and CEOs know how to lead with their data. The goal is to have a process that is consistent, collaborative, and documented.
Communicating Effectively to Board and C-Suite
Cybersecurity incident reporting should be viewed no differently than enterprise exposure like financial risk. However, since cyber exposure involves dense technical language, organizations should be looking forward to make internal reporting “de-technical.”
There’s a balance between introducing risk exposure and balancing that with growing your business while realizing you’re going to take on technical debt and cyber exposure.
“What the board is looking for is the de-technical to risk domains that represent potential interference to business strategy, or potential risks to business continuity, such as ransomware, you calculate the losses without operating your business effectively so they know what events will cost them.” – Chris Hetner
Ultimately, cybersecurity perfection is unattainable. Incidents will happen. The goal should be to deploy the right security tactics to suppress risks in a material way and to maximize resiliency. Growing your business inherently includes risk exposure, taking on technical debt, and cyber exposure, but that doesn’t mean you can’t work to mitigate material harm.
Understanding this balance, the Board can then determine how much risk they are willing to take on and how to manage it, following and monitoring risk decisioning and risk suppression over time.
This allows Board stakeholders and C-suite teams to provide transparency to investors while understanding the implications of risks and equips them to talk about the implications and actions being taken to avoid material incidents.
Next, you can facilitate cyber maturity by asking how your organization can raise the bar on cyber reporting.