On July 26, 2023, the SEC issued its final rules for companies disclosing key information regarding cyber risk. The final rules address concerns over investor access to timely and consistent information related to cybersecurity risk and come at the end of 18 months of debate and discussion. While many wanted different outcomes in key areas, most of the suggestions and criticisms have been addressed.
Now the work begins—and time is short. The new rules focus on public companies providing transparency to investors through formal disclosures via SEC forms. The three types of disclosures specified in the rules are:
On July 26, 2023, the SEC issued its final rules for companies disclosing key information regarding cyber risk. The final rules address concerns over investor access to timely and consistent information related to cybersecurity risk and come at the end of 18 months of debate and discussion. While many wanted different outcomes in key areas, most of the suggestions and criticisms have been addressed.
Now the work begins—and time is short. The new rules focus on public companies providing transparency to investors through formal disclosures via SEC forms. The three types of disclosures specified in the rules are:
Cyber risk management: the strategies and processes used by the company in monitoring and managing cyber risk (annual).
Cyber risk governance: the professional backgrounds, roles and responsibilities of those involved in monitoring and managing cyber risk (annual).
Material cyber incidents: the nature, scope, timing and impact of material incidents; using federal securities law in determining materiality from the perspective of a reasonable investor (within four business days of the determination of a material incident).
Many companies aren’t currently in a place where they can comply with these rules. They will need to be ready to adhere to these rules in December 2023—a very short deadline given the significance of the work required to comply. But by planning now, company stakeholders can best position themselves for compliance.
Cyber Risk Governance
Since the overall governance of cyber risk lies with corporate boards, it is up to them to define how much risk is acceptable and to then allocate the necessary resources to management.
Since the SEC hasn’t prescribed exact rules for what companies need to disclose, disclosures companies submit will likely be all over the map. However, what these disclosures will probably have in common is the enumeration of the key responsibilities and mechanisms for full boards, board-level committees that oversee cyber risk and finally, executive and management-level committees.
In disclosures to the SEC, companies will need to be transparent about the amount and types of reporting that they provide regarding cyber risk. Specifically, they will need to cover the following areas:
Reporting to the board: provided by some combination of the board committee and executive management.
Reporting to the board committee: provided by executive management on key trends, exceptions and changes to the risk environment or cybersecurity posture.
Reporting to the executive committee: provided by cross-functional leadership across the organization, normally including security, technology, business operations, legal and risk.
Cyber Risk Management
In addition to the disclosures related to the governance of cyber risk, the SEC disclosures are intended to reveal more of the details on how public companies define and manage cyber risk at large. There are a series of core concepts and strategies in this area that are foundational and will likely require some review and potential maturation prior to public disclosure.
First, there’s risk tolerance. The board needs to define the cyber risk tolerance for the enterprise overall. The board committee and management can provide insight and suggestions, but ultimately, the board has to make the final decisions and then provide direction and resources.
Then there’s risk measurement. The company must define and execute a clear methodology for measuring risk in a way that is broadly understood across various management teams. Some organizations use cybersecurity maturity as a proxy for cyber risk, while others use more sophisticated, probabilistic models to estimate cyber risk in financial terms. Regardless of the exact approach, there needs to be a clear definition that the board and management can agree and act on.
Given the increasing likelihood of adverse cyber incidents, it’s imperative that all cybersecurity strategies factor in resilience management. Companies should implement and test recovery and contingency plans to maximize their chances of quick recovery (with minimal disruption to operations) in the event of an incident.
Of course, companies need cybersecurity strategies as well. Many have adopted industry standard frameworks, such as NIST, in forming cybersecurity strategies. This approach makes it easier for companies to detail their cybersecurity strategies in SEC disclosures. What’s more, common terminology will enable precise communication across the organization, as well as with key vendors, regulators and auditors.
Regardless of how well a company prepares, there’s always a chance of a cyber incident occurring, making cyber insurance attractive. Some companies get cybersecurity insurance and think of it solely as a method of transferring some of the potential financial uncertainty to a third party. However, cyber insurance also gives companies valuable support systems in times of crisis. Companies should carefully research cyber insurance providers and find plans that align with their unique needs and budgets.
Cyber Incident Disclosures
Cyber events can ultimately become cyber incidents, but there’s not necessarily a clear-cut definition of what counts as a “material incident.” That’s why it’s vital that at each company, the board and management arrive at a clear, shared definition of what constitutes a “material” incident at the organization.
Given that material incidents must be disclosed immediately, there are several key areas company stakeholders should consider.
Incident classification: The board and executive leadership should have a well-understood, pre-defined methodology for classifying cyber incidents, especially those that they’ll ultimately identify as material.
Incident response: The board and executive leadership need to develop a well-structured and efficient process for managing the remediation and recovery of any incident deemed material.
Crisis response plans: The board and executive leadership need pre-defined roles and crisis response plans, including templates for communications, updated contact information for company personnel, key third parties, and law enforcement details.
Regular testing: Rapid determination and disclosure will require efficient execution and coordination. To ensure everyone is clear on the given processes and roles, drills should be conducted on a routine basis, along with after-action reviews to identify areas of improvement.
The Time to Start is Now
There isn’t much time left until December—and the work to prepare for the new SEC disclosures could be significant.
If you’re a stakeholder at a public company, don’t wait. Get started now. Begin by reviewing your company’s current capabilities and quickly making the necessary improvements. The planning involved will take more time than you might think, and you’ll likely have to go through multiple iterations of plans to pinpoint the right ones.
Make this a team sport. There’s often a temptation to delegate these tasks to the CISO. As important as the CISO is, they have finite capacity, expertise and authority. A cross-functional team involving risk, audit, compliance, technology and business operations will be needed.
It’s the end of summer and the holidays are right around the corner—followed by the effective dates of the new rules. To avoid even more stress down the line, get started now!