The Impact of the SEC Cyber Risk Management and Disclosure Rule
In this special edition of GRXcerpts, we’re diving into the pending SEC cybersecurity regulation and what this means for your organization.
A Year of Preparation
Publicly-traded companies have spent the last year preparing for the Securities and Exchange Commission Cyber Risk Management and Disclosure rule– the rule that requires corporate boards to disclose cybersecurity incidents to investors and regulators within four business days.
The SEC believes that greater transparency and more timely disclosure about incidents will benefit investors; a breach affects a brand’s reputation, thereby negatively impacting a shareholder’s return on their investment.
The SEC cyber risk management and disclosure rule was first proposed in March 2022 and is more demanding and extensive than previous rules. This new regulation mandates timely disclosure requirements and emphasizes governance and strong protection against attacks. With cyber attacks on the rise and the impending implementation of the new SEC rule, companies must strengthen their cyber defenses, test their systems to failure, and take proactive measures toward cyber resiliency.
Intent of the SEC Regulation and Organizational Changes
The bottom line is shareholders want to know their assets are protected, and their investments will not drop from a damaging cyber attack. The rule has also forced board members to become more familiar with their organization's cyber risks and prompted CISOs to improve their communication with the board. Historically, boards have struggled to understand the threat landscape, often resulting in cybersecurity being viewed as an unnecessary expense and CISOs becoming the scapegoat when a major incident occurs.
However, the new SEC rule is bringing about change, requiring public companies to report on the board’s cybersecurity expertise. According to a Wall Street Journal survey, we’re already seeing positive shifts, with 75% of board directors reporting that their board has at least one cyber expert. Many of the most prominent publicly-traded companies are recruiting former CISOs to help fill the gaps on their boards, moving cybersecurity from a rarely discussed back-office function to a boardroom priority.
But the board discussions and responsibilities don’t end there. Boards are now held accountable for overseeing cybersecurity and ensuring their organization's defenses are equipped to combat the evolving global threat landscape. Additionally, organizations must disclose to CISA whether cybersecurity is integrated into their business strategy, capital allocation, and financial planning.
Third-Party Risk Awareness
It's also no surprise that the SEC proposal emphasizes the increasing occurrence of cyber incidents originating from third parties, given that two-thirds of breaches happen through these providers. Executives need to be aware of their organization's reliance on third parties, the potential risks, and the control gaps. Although regulations for incident reporting are a positive development, executives must also take responsibility by supporting their security and risk management teams and implementing proactive measures to mitigate vulnerabilities.
Consequences for Non-Compliance
In closing, the SEC is serious about risk management strategies, governance, and disclosure. As evidence, the public software company Blackbaud was recently fined $3 million dollars for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. Specifically, Blackbaud failed to disclose the full impact of the attack to investors, including that the attacker accessed and stole sensitive customer information– and now they’re paying for it.
While the SEC has not given an exact date for when the new rule will be published, organizations must take action now to protect sensitive data, build cyber resiliency, and safeguard shareholders from financial loss, to avoid costly fines. Will the new rule make for a safer, more transparent digital world? That’s our hope and the SEC’s ultimate outcome.
All information is current as of April 10, 2023. Subscribe to receive future episodes as they are released.
Get Cyber Risk Intel delivered to your inbox each week: