The SEC Cybersecurity Rule and the CISO’s Pivotal Role
When the government perceives those entrusted to its care are in danger, it takes action— case in point: the seatbelt law. Since the 1970s, the National Highway Traffic Safety Administration (NHTSA) has lobbied for passive restraint systems to protect drivers and passengers in the event of a crash. Though controversial when the rules were first introduced, the impact of seat belt laws has been significant and positive, leading to a notable reduction in traffic-related fatalities and injuries.
And like the seatbelt law, the government is launching a new rule to protect investors from a different kind of danger: material loss resulting from cyber attacks. The new SEC rule isn’t perfect, but it’s a step in the right direction toward a more secure future– and illustrates the importance of the CISO role. However, for many organizations, it will require adjustments to comply with the new rules.
Not familiar with the SEC Cyber Risk Management and Disclosure Rule? Get the basics in just 4 minutes:
The SEC Cybersecurity Rule Overview
The Biden administration has been outspoken regarding the potential impacts of cyber threats and their desire to improve the nation's cybersecurity posture, including both public and private entities. Again, we’re seeing the government attempting to protect those under its care, and the SEC cybersecurity rule is another action taken with that ultimate objective in mind.
The most important points for CISOs are that this new rule applies to publicly traded companies, sets specific requirements regarding the timing of incident notifications via 8-K, and obligates organizations to describe their security programs in annual 10-K reports. The rule emphasizes board engagement in cybersecurity governance; I hope we also see the side effect of raising the CISO position and improving the maturity of security programs nationwide.
What does the SEC Cybersecurity Rule Include?
The new SEC rule, adopted on July 26, 2023, requires publicly-traded organizations to disclose any cybersecurity incident they determine to be material and describe the material aspects of the incident, including the nature, scope, and timing. Additionally, incidents must be reported within four business days after the organization determines the incident to be material. However, the SEC documentation also cites that disclosure may be delayed if “the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.”
Many questions are floating around the cybersecurity community, as the SEC rule has a few ambiguities. Specifically regarding the keywords “incident” and “material”– how will they be defined?
The SEC declined to provide a definition regarding materiality, stating that, "carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice and would not be consistent with the intent of the final rules." The guidance in the rule suggests that organizations are best suited to understand what is material to their investors. The lack of definition gives companies space to define this term for themselves, which sounds good, right?
Unfortunately, for most CISOs, concerns about potential liability for getting it wrong likely make this flexibility feel less like an opportunity and more like a risk. According to Proofpoint’s 2023 Voice of the CISO report, 62% of CISOs are concerned about personal liability in their role, and the lack of clarity on what to disclose, and when, adds to the liability concerns.
Complying with the SEC Cybersecurity Rule
The new rule also adds Regulation S-K Item 106, which requires registrants to explain their processes for assessing, identifying, and managing cyber risks. Additionally, Item 106 requires companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks. Boards are now held accountable for overseeing cybersecurity and ensuring their organization's defenses are equipped to combat the evolving global threat landscape.
According to a Wall Street Journal survey, we’re seeing some positive shifts, with 75% of board directors reporting that their board has at least one cyber expert. Many of the most prominent publicly-traded companies are recruiting former CISOs to help fill the gaps on their boards, moving cybersecurity from a rarely discussed back-office function to a boardroom priority. Further, Proofpoint’s study also found that 62% of CISOs believe cybersecurity expertise should be required at the board level– so the new SEC cybersecurity rule is a step in the right direction for elevating the importance of cyber risk management.
However, most publicly-traded companies are still unequipped to comply with the new rules. The level of programmatic maturity, the coverage and effectiveness of tactical processes, and the executive coordination necessary to fulfill the rule's obligations will be difficult for many to achieve in the near term. Organizations are being asked to rapidly identify an incident, respond appropriately and effectively, classify the incident regarding materiality, and promptly notify authorities through 8-K filings. Historically we've shown that incident response is a weak point that many companies struggle with, even without new requirements.
Ready or not, the SEC Cybersecurity Disclosure Rule is upon us, and organizations must take action to close the gaps with compliance. How can you prepare?
Identify Key Stakeholders
One of the first things organizations need to do is identify the stakeholders with a critical impact on their ability to fulfill the new requirements. Those stakeholders likely include members of the board, inside and outside counsel, members of the executive team, and various individuals in cybersecurity and technology roles throughout the company.
Another critical step is defining materiality concerning a cyber incident. Deep in the throes of an ongoing incident is no time to begin arguing about what constitutes material impact.
Review–and Strengthen–Your Cyber Risk Management Program
Finally, the appropriate stakeholders should consider potential future notifications and disclosures and agree on their approach. The public disclosure of these incidents will bring additional scrutiny, and companies will be under pressure to find the right balance between meeting their disclosure requirements and risking liability or future security incidents by disclosing too much information. The Proofpoint report shows that the relations and interactions between CISOs and boards are improving. Having an incident response plan, knowing the appropriate balance of information disclosure, and agreeing on your reporting approach before a breach occurs will help everyone align and avoid conflict in over- or under-reporting.
SEC Cybersecurity Rule: Safety in Mind
The new SEC Cybersecurity Rule intends to improve transparency and ensure that investors are well-informed about a company's cyber resilience and plan for recovery. Think of it as the government’s cyber “seat belt,” protecting investors from financial harm. The SEC is attempting to formalize risk management strategies, governance, and incident disclosure to safeguard shareholders from financial loss.
However, the SEC rule also adds new complexities for organizations, too. The executive team as a whole, along with the board, will have key roles and accountability in an organization’s cybersecurity posture. But let’s not underestimate the CISO’s importance. Given the rise in cyber attacks, the increase in government scrutiny of how cybersecurity programs are structured, how organizations protect themselves, and the disclosure guidelines when an incident occurs, the CISO role is a necessary executive team member, particularly for publicly-traded companies. Our cyber resiliency and brand reputation depend on it.
About the author:David Stapleton, CISSP, is the CISO of CyberGRX and ProcessUnity and a tenured cybersecurity risk professional with experience in both the public and private sectors. He began his cyber career at the Department of Health and Human Services (HHS), where he developed and managed Risk & Compliance functions for the Food and Drug Administration (FDA) and Indian Health Service (IHS).
Get Cyber Risk Intel delivered to your inbox each week: