AB AR SEC Cybersecurity Rules Update The Complete Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

SEC Cybersecurity

Rules Update
The Complete Guide
Table of
Contents
Introduction 1
What to Know Now: Dates and Basic Action Plan 3
Overview of the SEC Cybersecurity Disclosure Requirements 5
How to Prepare for Compliance With SEC Cybersecurity Rules 17
The SEC Cybersecurity Rules Demand Integrated Risk Management 19
Introduction
Every company should feel urgency about maturing cybersecurity
risk management. That’s the core message behind the heightened
regulatory focus on cybersecurity — and with the U.S. Securities
and Exchange Commission’s (SEC’s) final cybersecurity disclosure
requirements for public companies taking effect in September
2023, it’s about to get real. The SEC cybersecurity rules will have a
significant impact on your organization and role.

Cybercriminals keep finding new ways to monetize cyberattacks, prey


on geopolitical instability, evade detection, exploit or re-weaponize
vulnerabilities, and use AI to conduct attacks. Cyber attacks keep
growing in sophistication, relentlessness, and destructiveness, and
the resulting costs and adverse consequences can be monumental.

Beyond business interruptions, lost revenues and


assets, reputational damage, remediation costs,
ransom payments, and liabilities to affected parties,
national security and public safety are at stake.

auditboard.com 1
The risk is widespread and likely underreported. Citing a recent Whatever your business or industry, it’s time to get your head around
study showing that 98% of organizations use at least one third- the SEC’s cybersecurity disclosure rules and similar legislation
party vendor that has experienced a breach in the past two expected in 2023. Disclosure will require both accuracy and speed:
years, the SEC has decreed that the time is now for enhancing and accuracy to determine the materiality of cybersecurity incidents,
standardizing cybersecurity disclosures. and speed to meet the 4-business-day requirement for disclosing
material cybersecurity incidents. Plus, the SEC’s final rule marks a
If you’re a leader at a private company, you may be thinking, “But critical development in regulating cyber risk that underscores the
this doesn’t apply to me.” You’re right. Officially, it doesn’t. But many importance of getting integrated risk management (IRM) processes
private companies are third parties to public companies – and thus in place — not just to comply with SEC cybersecurity rules, but to
potentially liable for any cyber incidents impacting public companies. ensure you’re doing the right things to protect, defend, and enhance
Plus, investors and other stakeholders often hold private companies your business.
to the same standards as public companies, and the SEC’s final rule
is a good example of what we can expect from other cybersecurity
legislation on the horizon, much of which goes beyond public
companies. Most importantly, to find a cybersecurity solution
for everyone, we need to admit that cybersecurity is everyone’s
problem — and good cybersecurity risk management, strategy,
and governance principles are universally applicable.

You may have less time than you think.


Your organization should be working now to
get the processes and technologies needed to
support effective cybersecurity disclosures in
place by December 31 , 2023.

auditboard.com 2
What to Know Now:
Dates and Basic Action Plan
So, which rules apply to your business, when do they take effect, and what needs to happen to get your business on the path to compliance?
The table below offers an overview, breaking the new rules down into key items, compliance dates, and recommended actions.

auditboard.com 3
What to Do Now
Now that you’re clear on applicability, dates, and recommended
actions, make sure you’re clear on what they mean for your
organization in the short term. In particular:

• Annual report considerations — Organizations will need to issue


disclosures in 2024. For calendar fiscal year issuers, disclosures
will include the cybersecurity risk management and governance
they have in place on December 31, 2023 — including the
processes and methodologies used to determine materiality.

• Continuous monitoring considerations — Organizations need to


begin monitoring for cyber incidents and materiality on
December 18, 2023, so they’re ready to comply with immediate
reporting requirements for material cybersecurity incidents.

In other words, you may have less time than you think. Your
organization should be working NOW to get the processes
and technologies needed to support effective cybersecurity
disclosures in place by December 31. For most organizations,
that includes assessing gaps, establishing and integrating disclosure
processes, developing capabilities, and updating risk quantification
and incident management processes (including setting thresholds
and building workflows to assess materiality), engaging the board,
and more.

auditboard.com 4
Overview of the SEC Cybersecurity
Disclosure Requirements
The overview table and detailed breakdowns below simplify the how, when, and what of the final rules. By adopting these final rules, the SEC
aims to provide greater transparency into how companies are managing their cybersecurity risk; accordingly, mandatory disclosures will be
made via Form 8-K, 8-K/A, and 10-K filings (20-F, 6-K, and 6-K/A filings for foreign private issuers), meaning that all information becomes
public record. There are no requirements for the SEC to keep any information non-public. That means investors and other stakeholders can
use it in their decision-making — and regulators and attorneys can use it for their purposes.

The SEC Cybersecurity Rules Update At a Glance


The SEC received more than 150 comment letters in response to its proposing release. The final rule details many of the comment letters’
concerns and recommendations, explaining whether (and how) final rules were modified in response. While this is helpful in understanding the
SEC’s process and reasoning, the resulting 186-page PDF release of the final rule doesn’t exactly make for light reading.

With that in mind, I’ve gone through the complete release with a fine-toothed comb to create a summary table that tells you everything you
really need to know. For the sake of simplicity, our summary focuses on the requirements for US companies. Following the overview table, you’ll
also find a more detailed discussion of each disclosure requirement highlighting key considerations and differences between the draft and final
regulations. All page numbers refer to the SEC’s final rule PDF (which has been conformed to the Federal Register version).

Note that the SEC has divided the requirements into two reporting categories: “current,” which includes material incident disclosures made in 8-K
filings, and “periodic,” which includes required disclosures on cybersecurity risk management, strategy, and governance provided via 10-K filings.

auditboard.com 5
auditboard.com 6
auditboard.com 7
Disclosure Requirements for
Material Cybersecurity Incidents

To keep it simple, the SEC’s current reporting requirements (Form 8-K circumstances, written notification from the AG to the SEC is
Item 1.05) are about being able to: required. (See pp. 34-35.)

1. Identify material cybersecurity incidents. • For entities subject to the Federal Communications
2. Quantify their impact. Commission’s (FCC’s) customer proprietary network
information (CPNI) rule. The SEC permitted this exception
There will be a lot to pull together in a very short time frame, from the given concerns about a potential conflict with existing FCC
material incident determination to 8-K filing. For most organizations, rules. (See pp. 41-42.)
this will require much more timely investigation and quantification
• No required disclosures regarding remediation status. The final
around cybersecurity risk than is being done today.
rule did not adopt the proposal to require disclosure regarding the
The final rule includes several noteworthy changes from the original incident’s remediation status, whether it is ongoing, and whether
proposal, including: data were compromised. The SEC considers that registrants
will determine as part of materiality analyses whether such
• No specific materiality definition. The SEC declined to adopt
disclosures are necessitated. (See p. 30.)
a cybersecurity-specific materiality definition, stipulating, “we
expect that registrants will apply materiality considerations • No required disclosure of immaterial cybersecurity incidents
as would be applied regarding any other risk or event that a in aggregate. The proposal to require disclosure when a series
registrant faces.” (See p. 80.) of previously undisclosed individually immaterial cybersecurity
incidents become material in the aggregate was not adopted.
• Limited delays permitted:
(See pp. 52 and 140.)
• In verified matters of national security or public safety.
• No aggregation requirement for related incidents. The
Companies may delay disclosure if the U.S. Attorney General
proposed aggregation requirement to capture the material
(AG) “determines immediate disclosure would pose a
impacts of related incidents was not adopted. (See p. 52.) That
substantial risk to national security or public safety.” In these

auditboard.com 11
said, the SEC’s adopted definition of “cybersecurity incident”
does extend to “a series of related unauthorized occurrences.”

• Rejection of periodic reporting only. The suggestion to replace


Item 1.05 with periodic reporting of material cybersecurity
incidents on Forms 10-Q and 10-K was not adopted, since
such an approach may result in significant variance as to when
investors learn of material cybersecurity incidents. (See p. 36.)
Instead, updates to prior incidents reported via 8-K filings will
be made in an 8-K amendment rather than in a 10-Q or 10-K.
In other words, all cybersecurity incident information will be
disclosed in current rather than periodic reports.

auditboard.com 12
Disclosure Requirements for
Cybersecurity Risk Management
and Strategy

The cybersecurity risk management and strategy disclosure


requirements (Regulation S-K Item 106(b)) aim to provide a consistent,
comparable view of cybersecurity risk management programs that
offers insight into program capabilities, strategy, and effectiveness.
To this end, companies will be required to affirm whether they have a
cybersecurity risk assessment program, how it works, how it fits into
overall risk management, and whether it uses third parties. Notably,
this will include disclosing a description of “whether any risks from
cybersecurity threats have materially affected or are reasonably likely
to materially affect their business strategy, results of operations, or
financial condition.”

The final rule includes a few noteworthy changes from the original
proposal, including:

• Streamlining of required disclosure elements. Commenters


expressed concerns that disclosing specific policies, procedures,
and technologies could undermine cybersecurity and increase
vulnerability to cyberattacks. Others worried that elements were
overly prescriptive, such that companies would feel pressured to
model policies on the final rule’s disclosure elements rather than
what was best-suited to each company’s unique circumstances.
In response to these concerns and others, the SEC eliminated
several elements to support “disclosure of information material

auditboard.com 13
to the investment decision of investors… while steering clear of
security sensitive details,” including:

• Substituting the word “process” for “policies and


procedures,” to avoid disclosing details (or the lack thereof)
that could be weaponized. (See p. 60.)

• Removing proposed disclosures of “prevention and


detection activities,” “continuity and recovery plans,”
and “previous incidents” and requiring only high-level
disclosures regarding third party-service providers. (See p.
62.)

• Clarifying that elements listed are non-exclusive, such


that registrants should also “disclose whatever information
is necessary, based on their facts and circumstances, for
a reasonable investor to understand their cybersecurity
processes.” (See p. 63.)

auditboard.com 14
Disclosure Requirements for
Cybersecurity Governance
Finally, the cybersecurity governance disclosure requirements
(Regulation S-K Item 106(c)) ask companies to account for how
material cybersecurity risks are overseen at the board level, assessed
and managed at the management level, and communicated
to the board. This approach encourages a fresh look at how
cybersecurity risk management connects with strategy and
integrates with overall risk management.

The final rule includes a couple of noteworthy changes from the


original proposal to require “less granular” disclosures, including:

• No required disclosure regarding the board’s cybersecurity


expertise. The proposed requirement to disclose the
cybersecurity expertise of a registrant’s board members was not
adopted. (See p. 140.)

• Limiting required disclosures to those the SEC believes


“balances investors’ needs to understand a registrant’s
governance of risks from cybersecurity threats in sufficient detail
to inform an investment or voting decision with concerns that
the proposal could inadvertently pressure registrants to adopt
specific or inflexible cybersecurity-risk governance practices or
organizational structures.” (See pp. 70-71.)

auditboard.com 11
It’s important to appreciate that, if the SEC had mandated the
disclosure of board cybersecurity expertise, it may have offered
investors a deceptive comfort. Board members’ fundamental role is to
oversee risk, not directly handle it. Their expertise should be reflected
in their ability to guide, not operate. That said, even without a concrete
mandate to disclose cybersecurity proficiency within the board, the
need for it remains implicit in the final rules.

auditboard.com 16
How to Prepare for Compliance
With the SEC Cybersecurity Rules
The best way to organize your to-do list is to start at the end and work backwards: Make sure you understand the final rules,
and let that guide your analysis of what needs to be done. Look beyond disclosure preparation to ensure you have the needed
infrastructure in place. Use the recommended action plan provided above to get started.

Again, to ensure the speed and accuracy needed for identifying incidents, assessing materiality, and preparing disclosures within
the 4-business-day requirement, an IRM approach will be critical. IRM and IRM technologies can help you connect and streamline
processes, controls, and teams to enable effective cross-functional collaboration and risk and impact quantification. The graphic
below illustrates the interplay between the new rules and the bigger picture of IRM and IRM technologies, including the four
universal IRM objectives of better performance, stronger resilience, greater assurance, and more cost-effective compliance.
Most companies have work to do in connecting technology and teams. AuditBoard’s 2023 Digital Risk Report
found that only 30% of organizations currently use cloud-based risk management software to manage digital
risk. Another 18% use on-premises risk management software, 44% still rely on manual technologies (e.g.,
spreadsheets, email, shared drives, and SharePoint), and 8% do not manage digital risk at all.

auditboard.com 18
The SEC Cybersecurity Rules Demand
Integrated Risk Management

With their final rules, the SEC has elevated IT risk and cybersecurity Every organization should recognize that the SEC cybersecurity
as true business risks. This is an important step in helping rules are part of a larger trend toward integrated reporting and
organizations to understand and manage their entire spectrum of risk management. Just like standalone financial reports don’t give
strategic, operational, financial, and digital risks, helping them to make the full picture of how a business is doing, disconnected technologies
more informed, timely, and strategic decisions. But companies face aren’t effective in meeting today’s risk management challenges.
significant challenges in maturing risk management and determining Integrated technology solutions bring together different data and
materiality. According to the SEC’s 1999 Staff Accounting Bulletin No. perspectives into a common risk framework — creating an integrated
99 and a March 2022 statement from Acting Chief Accountant Paul view of risk that connects people, increases understanding, enables
Munter, determining materiality is both qualitative and quantitative. prioritization, and supports performance, resilience, assurance, and
It cannot be calculated using a formulaic method. As I told compliance. If your organization is still dragging its feet on integrating
InformationWeek, “Determining materiality for cybersecurity will, in my risk management, 2023 is the time to get moving.
opinion, require an integrated view of risk — tying cybersecurity to
critical areas of the business operations. Without this view, the impact
on a reasonable investor cannot be determined.”

An IRM approach is crucial for linking cybersecurity, operational, and


enterprise risk to determine materiality. Audit, risk, compliance, and
To learn how AuditBoard can help
ITRM professionals will be forced to work together to come up with
streamline your compliance efforts, request
solutions, engendering a clearer understanding of cybersecurity’s
a tailored demo here.
impact on the business — and better alignment of technologies,
processes, and business outcomes.

auditboard.com 19
About the Author About AuditBoard
AuditBoard is the leading cloud-based platform transforming audit,
risk, IT security, and ESG management. More than 40% of the Fortune
500 leverage AuditBoard to move their businesses forward with
greater clarity and agility. AuditBoard is top-rated by customers on
G2, Capterra, and Gartner Peer Insights, and was recently ranked for
the fourth year in a row as one of the fastest-growing technology
companies in North America by Deloitte. To learn more, visit:
John A. Wheeler is the Senior Advisor, Risk and Technology for
AuditBoard.com.
AuditBoard, and the founder and CEO of Wheelhouse Advisors. He
is a former Gartner analyst and senior risk management executive © 2023 AuditBoard, Inc.
with companies including Truist Financial (formerly SunTrust), Turner
Broadcasting, Emory Healthcare, EY, and Accenture.

auditboard.com 20

You might also like