By Portia Cole, Emergent Threat Researcher, Avertium
If the Security and Exchange Commission (SEC) has its way, it will soon do more than any other federal agency has done when it comes to putting cybersecurity disclosure requirements in place for public companies and covered entities and their boards of directors. The SEC proposed new regulations in March 2022 (the comment period was reopened a year later) and March 2023 that would, in part, require investors be informed “in a consistent, comparable, and decision-useful manner” about how cybersecurity risks are being managed.
The comment periods for both came to a close in May 2023. If adopted, new rules and requirements would be put in place regarding:
- The reporting of material cybersecurity incidents and updates about previously reported cybersecurity incidents.
- Reporting requirements regarding a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk.
- Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
- Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise.
In the SEC’s view, the purpose of the amendments is to keep investors better informed about an organization’s risk management, strategy, and governance and ensure prompt notification in the event of significant cybersecurity incidents. The government also seeks to abandon its dated 2003 strategy, which established that federal regulation wouldn’t be a main approach to securing cyber space—clearly, it has changed its mind. Let’s dive into two notable regulations that deserve our attention.
Prompt Reporting
Our assumption is that the regulation regarding prompt disclosure of breaches is in response to organizations such as T-Mobile and BlackBerry. In 2021, both T-Mobile and BlackBerry faced public scrutiny after they failed to promptly inform customers and the public of server and software vulnerabilities that affected millions of people. T-Mobile’s breach was significant because it exposed the data of more than 100 million customers—and troubling in terms of how investors learned of it. Vice.com broke news of the breach on August 15, 2021, but the company didn’t confirm the breach until August 16, 2021—24 hours after the breach made headlines.
At the time, there were no existing federal regulations dictating the timeframe within which a company had to report a data breach. As a result, on September 1, 2021, Congress began examining a House of Representatives bill that included requirements around how quickly companies need to report attacks (between 24 or 72 hours), what kind of compromises need to be reported to CISA, and whether a fine should be implemented if there is non-compliance. Although Congress was unable to reach a consensus at that time, in March 2022 the Cyber Incident Reporting for Critical Infrastructure Act established two cyber incident reporting requirements for covered entities within 16 designated critical infrastructure sectors, and the SEC is now inching closer to finalizing similar disclosure rules that would benefit stakeholders, customers, and investors.
Among what the SEC wants: Similar to public companies, covered entities will have to disclose past and present cyber incidents to the SEC within 48 hours of discovery. Covered entities would be required to immediately notify the SEC in writing of a significant cybersecurity incident when they have reasonable grounds to believe that one has occurred or is occurring. In addition, companies must submit detailed information about the incident and their response to it using the proposed Form SCIR, which must be filed promptly and updated if new material information is discovered or upon resolution of the incident.
Board of Directors and Cybersecurity Risk
It’s not enough for board members to simply be informed about a company’s existing security measures. Boards should play a crucial role in supporting cybersecurity risk management, and the proposed SEC regulations will help force that along.
If the SEC has its way, public companies will be required to disclose if board members have cybersecurity expertise. The SEC will mandate that companies disclose how the board oversees cyber risks, as well as describe how management assesses and handles those risks. It gets even more detailed, requiring that companies disclose the ways in which the board is kept up to speed on cyber risks and how often the board discusses the topic. The regulation would require board members to increase their focus on cybersecurity and take responsibility for overseeing the organization’s response and recovery plans in the event of a cyberattack.
Board members are going to have to get much more serious about cybersecurity. Gone are the days when it was enough just to get an update on what the CISO has been working on. As the Harvard Business Review puts it, “Board members must take the position that cyber-attacks are likely, and exercise their oversight role to ensure that executives and managers have made proper and appropriate preparations to respond and recover.”
Potential and Limitations of the Proposed Regulations
Should the new rules kick in, the only changes won’t be limited to the disclosures themselves. Companies may find they incur additional costs to comply with the new rules, including the costs of gathering and analyzing the required data. There is also the potential for increased reputational risks. With greater exposure, comes greater scrutiny. Companies that fail to adequately address their cybersecurity risks may face reputational damage and potential backlash from investors, customers, and other stakeholders.
The intent of these proposed rules is to protect the greater public by promoting transparency and holding companies accountable. But as with many regulations, there are limitations. There remains a degree of ambiguity around what covered entities are obligated to disclose and how they should disclose it. For example, different industries face different cyber risks and have unique risk profiles with different levels of confidentiality and security, making it difficult for stakeholders to compare the cybersecurity postures of different organizations across industries. Companies may also measure their risks differently, so for a stakeholder to know whether a particular company’s risk measurement strategy is comprehensive or accurate can be difficult to determine.
But what the SEC is looking to do is to build upon or revise what is already in place, and organizations would do well to build upon what they’re already doing in order to be ready—and in a stronger cyber position whether or not the proposed changes formally become requirements. That includes educating your board about what may be coming and reviewing the written policies and procedures you have in place for your incident response program.
About the Author
Portia Cole, an Emergent Threat Researcher at Avertium, specializes in researching the latest cyber threats, threat actors, and vulnerabilities. As a member of the Capability Development team, she contributes valuable insights to the field of cybersecurity. Her work can be found on Avertium’s website, and she can be reached through LinkedIn.