New SEC Actions
The SEC is poised to issue groundbreaking cyber regulations soon. These changes will force a sea-change in how public companies manage cyber risk in the boardroom, govern cybersecurity across the enterprise, and disclose cyberattacks.
As SEC Chair Gary Gensler stated, “Today, cybersecurity is an emerging risk with which public issuers must contend. Investors want to know more about how issuers are managing those growing [cyber] risks. A lot of issuers already provide cybersecurity disclosure to investors . . . [Companies] and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”
Collectively, these proposed rules will transform companies’ handling of cyber like Sarbanes-Oxley (SOX) did for financial accounting and reporting. And just like SOX, these cyber rules vastly increase visibility into corporate practices, all with the goal of protecting investors, consumers, and citizens.
The SEC has issued three proposals. The first, developed in early 2022, focuses on investment advisors and funds. The second, also issued in early 2022, aims broadly at public companies and is likely to take effect in the next several months. The third proposal, from early 2023, is specific to “Market Entities” – a cross-section of firms involved in the U.S. securities markets.
Table 1 at the end of this article summarizes the specifics of each proposal. But there are four common threads:
1. Cyber Risk Management and Governance
The SEC is demanding that companies covered by the proposals make cyber risk oversight, governance, and management more rigorous and consistent. Companies will need to review and improve – or design from scratch – a suite of strategic, operational, and tactical cyber risk management documents that specify the “how” of cyber risk identification, prioritization, mitigation, and monitoring. These plans will need to give regulators, customers, and the public confidence that cyber risks are well-understood and thoughtfully treated at all levels of the organization (e.g., risk owners, enterprise risk management, C-suite, Board).
2. Board and Corporate Management Accountability
The SEC is asking all public companies to disclose exactly how the C-suite and Board are involved with cyber risk management. This is a shot across the bow of the private sector: The federal government intends to hold corporate leaders responsible for cybersecurity mishaps. Companies need to show – through refreshed cyber risk management plans and procedures (see above) – that the corporation’s most senior leaders have visibility into and accountability for cybersecurity.
3. Incident Disclosure and Reporting
The SEC has decided that major cyberattacks are materially important to a company and its customers. Thus, through its proposals, it is demanding an unprecedented level of transparency and visibility into companies’ cyber incidents. While terms like “significant” and “material” cyber incidents remain frustratingly opaque, the intent is clear: Companies must come clean about cyberattacks, their consequences, and steps taken to respond and recover.
4. Technical Control Mandates
In the most recent rules proposal, the SEC is moving down a level: from policy, governance, and disclosure to technical control implementation. The SEC expects companies to demonstrate implementation of – and presumably effectiveness – of core controls around identity and access management, third-party security, threat and vulnerability management, and incident response and recovery. The SEC’s message here? Our purview is more than paper.
Explore expert Risk Management solutions that solve real-world problems
Understand emerging threats, changing regulations, and evolving technologies – then formulate an actionable, pragmatic cybersecurity strategy to reduce risk across the digital ecosystem.
Why Does It Matter?
The implications are massive. Ultimately, these rules are about transparency. Companies will soon have their cyber practices – including whether they have been breached – in the public domain like never before. And with visibility comes scrutiny and judgment from customers, shareholders, and investors. Corporations must do everything possible to “show the world” sound and rigorous cyber plans, governance, and technical controls. Reputation is at stake.
More tangibly, the rule proposals require companies to significantly elevate cyber risk management and oversight. No more burying cyber within corporate functions or delegating accountability to technology and security leaders. Executive management and the Board are on the hook.
Finally, the sheer scale of requirements is daunting. Companies face a growing to-do list, including:
- Navigate the alphanumeric soup of SEC disclosure rules and templates.
- Understand and implement risk management upgrades.
- Implement new policies, procedures, and technical controls.
Companies shouldn’t assume existing practices will meet the SEC’s expectations.
What to Do Now
Smart companies will act now. Here are several steps:
- Conduct an SEC Cyber Readiness review. Identify exactly what rule proposals apply to your company. Determine the extent to which your existing practices meet the SEC’s requirements. Identify the major gaps and set forth an action plan for addressing them.
- Enhance cyber risk management and reporting processes. Ensure your company has a systematic and repeatable approach for cyber risk management: identifying, prioritizing, mitigating (or accepting), validating, and reporting on cyber risks. Bake these approaches into enterprise risk management processes and forums where cyber risk conversations should be framed in simple business terms. Disseminate simple risk dashboards, ideally from an organization-wide governance, risk, and compliance platform, and reports to executive leaders and the Board. Codify cyber as an agenda item in C-suite and Board meetings. Determine your approaches for continually assessing and refining cyber risk management systems.
- Review disclosure procedures. Understand your company’s existing mechanisms for reporting and disclosure to the SEC and other regulators. Who is responsible? Who is accountable and has final approval? Work with these stakeholders – who may sit across legal, finance, and other corporate functions – to determine how to handle cyber-related disclosures.
- Educate and engage executives. Companies that have cyber-savvy leadership groups have made a concerted, long-term effort to “build the cyber IQ” of corporate officers and Board members. Companies should design and implement a series of practical workshops – educational but highly tangible, that expose and inform executives and Directors to the reality of cyber: real-world threat scenarios, business impacts of cyberattacks, the existing cybersecurity posture of the company, and what to do in case of a major incident. These workshops are also mechanisms to stress-test risk management systems, incident response plans, and business continuity and disaster recovery playbooks.
- Test technical controls. Execute internal and external assessments of technical security controls. This can start with framework-based maturity assessments and continue into penetration testing and other more “hands-on” assessment techniques that provide deeper insight into control effectiveness against realistic attacks.
The SEC’s proposals are bold, detailed, and transformative. Compliance will require serious effort, and companies should get ahead now while the SEC refines the details.
Rule Names | Who’s Impacted? | When Are Rules Expected to Be Finalized? | Proposal Rule Details (What Companies Must Have or Do) |
Cybersecurity Risk Management Rules and Amendments | Registered Investment Advisors and Funds (under the Investment Advisors Act and the Investment Company Act) | – Initial Proposal: February 9, 2022 – Comment Period Reopened: March 15, 2023 – Rules likely to be finalized in concert with proposed rule set 3 (focused on Market Entities) in mid-late 2023 | – Establish policies and procedures, with mandated general elements, that reasonably address cybersecurity risks – Report significant cybersecurity incidents (including on behalf of a fund or private client) – Disclose of cyber risks and incidents (dating back two years) to an adviser’s clients and prospective clients – Keep records of cyber policies and procedures and information about cybersecurity incidents |
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure | Public Companies (subject to reporting requirements of the Securities and Exchange Act) | – Initial Proposal: March 9, 2022 – Rules likely to be finalized imminently in mid-2023 | – Disclose of material cybersecurity incidents within four days – Disclose of past cybersecurity incidents that would be considered material under the new rules – Report cyber risk management policies and procedures, including extent to which cyber is considered as part of business and financial planning – Disclose the Board and Management’s role in overseeing and assessing cyber risk, and management’s role in implementing cyber risk management policies and procedures – Disclose Board member cybersecurity expertise |
Addressing Cybersecurity Risks to the U.S. Securities Market | Market Entities (wide variety of securities market and financial services entities) | – Initial Proposal: March 15, 2023 – Rules likely to be finalized in concert with proposed rule set 1 (focused on RIAs and Funds) in mid-late 2023 | – Establish and maintain policies and procedures to reasonably address cybersecurity risks – Review and assess policy and procedure effectiveness on an annual basis – Disclose, immediately, significant cybersecurity incidents and, subsequently, steps taken to respond – Implement and maintain a collection of technical controls centered on access management, third-party risk management, threat, and vulnerability detection and remediation, and incident response – Disclose summary descriptions of cyber risks and any significant cyber incidents experienced each year |
To stay ahead of the SEC cyber rules curve with thoughtful, proactive cyber strategies, contact CrossCountry Consulting.