How the SEC Cybersecurity Rule Impacts Your Organization
As of July of 2023, public companies are subject to new cybersecurity disclosure requirements from the Securities and Exchange Commission (SEC). These updated cybersecurity rules alter how publicly held companies identify, assess, and report cybersecurity incidents, mandating adherence to detailed requirements for incident disclosure, a four-day incident reporting window, and guidelines on the board's role in risk management. While seemingly stricter and more comprehensive than previous rules, the new SEC cybersecurity requirements leave significant open ambiguities for companies to ponder, some by design.
In a recent discussion about the new SEC Cybersecurity Rule, Dave Stapleton, CISO of CyberGRX and ProcessUnity, and Bob Zukis, CEO of the Digital Director’s Network analyzed some of the new mandates, key definitions (or lack thereof) and other ambiguities, the rule’s impact on the CISO’s role vis-a-vis accountability and liability concerns, and what organizations can do now to bolster their compliance posture.
Listen in to the conversation now:
What is the SEC’s New Cybersecurity Incident Disclosure Rule?
On July 26, 2023, the SEC announced in a press release that it was enhancing and modifying disclosure requirements for cybersecurity risk management, strategy governance, and incident disclosure. First proposed back in March 2022, the new rules mandate that public companies and foreign issuers comply with the following requirements:
Within four days of a material incident, companies must file a Form 8-K or Form 6-K (for foreign issuers).
Companies must periodically disclose cybersecurity risk management, strategy, and governance in annual reports on Form 10-K or Form 20-F (for foreign issuers).
Companies must describe their board oversight of cybersecurity risk, including the role of management and their respective expertise, and create board committees and appoint cybersecurity experts.
These stricter requirements were designed to improve disclosure consistency and readiness, protecting investors from the potential downside risks and the negative impact a data breach could have on the business.
Questions of Materiality
Arguably, the most controversial element of the new SEC cybersecurity rule is the definition of a material incident. The requirements mandate filing of Form 8-K/Form 6-K within four days of a material incident occurrence, but do not specify what constitutes “material” in the eyes of the SEC. It’s likely that regulators purposely left this definition vague as a way to prompt companies to apply critical thinking in assessing risk in their systems, forcing them to adopt a deliberate process to map those system risks back to the business and its value proposition.
For example, in the event of a cyber-attack-induced manufacturing shutdown, would a reasonable investor consider news of the company’s information systems succumbing to cyber risk exposure useful in making their investment decisions? Following this chain of thought while answering the question of what constitutes a material incident has the (intended) effect of improving the organization’s risk visibility and awareness while serving the stated intent of protecting investors.
The Four-Day Reporting Window
Materiality ambiguities aside, the SEC cybersecurity rule provides a four-day window for incident reporting; that is, once the company in question has determined materiality, it has four days to fill out Form 8-K/Form 6-K. It’s worth noting that the four-day timing of disclosure starts from the date that the company ascertains the cybersecurity incident is material, versus the date that the incident was initially discovered. Again, materiality determination is under the company’s control—so it’s up to them to clarify internal ambiguities regarding what constitutes materiality.
New Requirements for Management and the Board
Per the new SEC cybersecurity requirements, companies must describe their board’s oversight of cybersecurity risks and identify/describe any board committee/subcommittees spearheading oversight activities, among others. Similarly, the company must also describe management’s role in assessing and managing its material risks from cyber threats.
The SEC stopped short of requiring disclosures regarding how the board integrates cybersecurity into its strategic business initiatives, risk management/financial oversight functions, frequency of board discussions on cybersecurity, and the directors’ individual expertise in cybersecurity, if any. Again, it’s likely that the SEC’s overarching intent is to create better cybersecurity oversight processes at the board level by requiring a higher level of transparency in regard to these issues, without providing detailed prescriptive measures.
Complexities of Systemic Risk
The new SEC cybersecurity rule marks a pivotal juncture in the enterprise risk discussion, as it introduces systemic risk into the cyber risk conversation for the first time at this level. In essence, the SEC now includes cybersecurity incidents at third-party providers (e.g., IT outsourcing firms, cloud service providers, device vendors) as security events that must be reported, if deemed to be material for your company.
The disclosure requirements around in-source versus outsourced services signal the SEC’s intent to compel the board and management to focus intently on the maturity, disclosure, and transparency of third-party processes and integrations. Ultimately, management teams will need to rethink how they manage cybersecurity in light of potential disclosures for governance, even if critical questions remain regarding the cascading complexities of systemic risk.
For example, required disclosures on third-party service provider cybersecurity incidents could result in a barrage of duplicate reports—a highly plausible scenario, considering today’s highly interwoven digital and physical supply chains. A cybersecurity incident resulting in a major outage at a large service provider could impact tens or hundreds of thousands of customers, each also potentially covered by the SEC’s materiality disclosure requirements. This makes it crucial for supply chain partners, especially technology providers, to fully understand their role in the ecosystem’s risk landscape.
The Importance of Third-Party Risk Management
In short, the new SEC Cybersecurity Rule is a step in the right direction for improving enterprise risk awareness and mitigation efforts, both inside the organization and across supply chains. To comply with the regulations, firms must surface and address any potential third-party risks that could result in an impactful incident—again, by first grappling with the meaning of “material” in this context. By taking the appropriate, tactical steps in answering these questions, board directors and management are paying closer attention to their third-party risk management programs, and ultimately, bolstering the resilience of their respective links in the supply chain.
A More Resilient Future
The SEC’s introduction of systemic risk and materiality to the compliance process should come as no surprise; after all, some of the most devastating government data breaches in recent years were due to supply chain risk exposures. For example, the massive SolarWinds data breach that ended up exposing swathes of government agency networks was eventually attributed to faulty third-party risk management practices. As part of a broader government initiative to improve the nation's security posture, the SEC’s new cyber regulations can be viewed as a component of new macro-government policies for improving the overall cyber resilience and governance in industry, strengthening the U.S.’ economic resilience. And as with all things cyber, more oversight regulations and compliance requirements are likely to pass in the coming months and years.
For enterprises concerned about these new SEC requirements, the path to compliance starts with visibility and situational awareness—both internal and external supply chain risks. Security teams can expect closer collaboration and sponsorship from senior management and the board; however, in exchange for this tighter partnership are more stringent requirements to detect, respond, and mitigate incidents faster (if possible), backed by the proper, detailed reporting. For senior management, it means allocating more mindshare to a broader collection of risk considerations, as senior managers will need to periodically describe their company’s risk management programs. Executives need to understand exactly how their information systems create value for the business, both directly and indirectly, since this is now required for materiality determination analysis, and, deciding as to whether to disclose inevitable cyber incidents, when (not if) they occur.
The tactical steps necessary for compliance will improve the security posture of organizations. For most firms, the step-by-step process of examining how a potential incident is identified, measuring it against their definition of materiality, and communicating appropriately will uncover gaps in existing processes and help chart a path towards making the necessary improvements.
SEC Cybersecurity Rule preparedness includes identifying the vulnerabilities in your third-party ecosystem and taking proactive measures to mitigate your risks. When you book a demo, we’ll show you your riskiest third parties so you can safeguard your organization with confidence and avoid unnecessary material incidents stemming from your vendor network. Schedule your demo now.
Get Cyber Risk Intel delivered to your inbox each week: