Last week the SEC proposed new cybersecurity reporting rules for public companies. If adopted, they will impose substantial new reporting obligations. The new rules are motivated by the inconsistencies in level of detail, timing, and placement of cybersecurity disclosures given to investors today. While these are changes proposed for public companies, private companies can certainly glean a wealth of information on how to properly develop a cyber risk program by examining these proposed new rules.
New SEC Rules for Cybersecurity Incident Disclosure
Among the new rules would be a more robust cybersecurity incident disclosure that would have to be released 4 days after a company determines that it experienced a cybersecurity incident. This would have to include:
- When the incident was discovered and whether it is ongoing.
- A brief description of the nature and scope of the incident.
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
- The effect of the incident on the registrant’s operations.
- Whether the company has remediated or is currently remediating the incident.
Disclosure of Cybersecurity Policies and Procedures
Companies would also have to disclose their policies and procedures to manage cybersecurity risks and threats. The disclosure will have to include if:
- The company has a cybersecurity risk assessment program. If so, the company must provide a description of such program.
- The company engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program.
- The company has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data). This also includes whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers.
- The company undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents.
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
- Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies.
- Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition (and if so, how).
- Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation (and if so, how).
Determining Who is Responsible for Oversight of Cybersecurity Risks
A welcome and critical change proposed is disclosure of who has responsibility for oversight of cybersecurity risk:
- Is it the entire board or specific members?
- How are those members qualified, and what is the process by which the board is informed about cybersecurity risk?
- Does the company have a CISO? If so who does the CISO report to?
- How often is the board informed on the status of cybersecurity risk?
What the New SEC Rules Mean for the Future of Cybersecurity
The important takeaway is that these changes demonstrate that the SEC is aware of limitations in today’s approach. The proposed rules are also a clear indication of changes in how the government and other organizations are shifting their perspective on a company’s responsibility of their cybersecurity risk. In 2021 alone, 45 states and Puerto Rico introduced more than 250 bills or resolutions related to cybersecurity. Many of the bills also deal with implementations of policies and procedures, including incentives and aid for companies who proactively address risks.
What Your Company Can Do to Prepare for New Cybersecurity Rules and Bills
As cybersecurity rules and regulations become more common, companies should proactively establish cybersecurity programs to avoid fines and penalties. Basics steps companies can take include:
- Establish a risk assessment program and align it to a framework that best fits your cybersecurity needs based on company size, industry, and cybersecurity goals.
- Once a risk assessment program is established, identify gaps in your security needs that align with policies, procedures (practices), and technologies required to meet your program goals.
- Decide on a Plan of Action with Milestones and timelines to meet your cybersecurity goals.
- Define key performance indicators associated with your cybersecurity program to help track your goals and progress.
- Create an incident response plan in case of a breach. This is a crucial step that is often overlooked in cybersecurity programs. A strong incident response plan can reduce the cost and damages associated with a cyber-attack.
- Ensure you communicate and get buy-in from your executive team and board to support your cybersecurity program. Their support will make program establishment and execution much faster and easier.
The entire proposed rule changes can be found here: https://www.sec.gov/rules/proposed/2022/33-11038.pdf