As published in the Journal for Critical Infrastructure Policy in 4Q2024
The SEC released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Response on July 26, 2023. The Final Rules require public companies to publicly disclose (1) material cybersecurity incidents and (2) cyber risk management processes. These disclosures will be made via existing SEC reporting methods are intended to provide investors with enhanced transparency into cyber risk and cyber risk management processes across public companies.
Introduction
On July 26, 2023, the SEC issued its final rules for companies disclosing key information regarding cyber risk. This concludes a long and contentious rulemaking that began in March 2022 with the SEC’s original notification of its intent to formalize cybersecurity disclosures. The 18 intervening months was filled with passionate and public debate and discussion in a wide-ranging spectrum of perspectives. Many debated the inherent value of such reporting, some questioned the SEC’s authority to require such disclosures, and untold volumes were expended in debating thorny practical matters regarding definitions and responsibilities. While many sought different outcomes in key areas, most of the suggestions and criticisms were addressed and the rules were finalized, and compliance expectations begin in December 2023.
Annual Disclosures
The rules as finalized in July are focused on the public disclosure of cyber risk information. There are two disclosure time horizons: annual and incident driven. On an annual basis, companies are required to incorporate new cyber-specific information in their SEC Form 10-k that addresses two general areas:
- Cyber risk management: the strategies and processes used by the company in monitoring and managing cyber risk overall. This area is broadly focused on providing clarity into how a company thinks about cyber risk at-large and how it frames risks that originate in the cyber domain in-context of myriad other enterprise risks such as competition, regulation, financial/currency exposures, physical plant operations risks, etc.
- Cyber risk governance: the professional backgrounds, roles, and responsibilities of those involved in monitoring and managing cyber risk. This area is focused on understanding the mechanics of how cyber risk is governed across the company. This governance focus includes both the board of directors and the executive leadership team. The original draft rules in 2022 included a requirement to reveal the names and biographies of key directors and officers who are viewed by a company as having credible cyber risk expertise. The requirement for board directors was dropped in the 2023 final rulemaking, but the requirement for executives remained, putting additional focus on those few executives who are directly involved in understanding and mitigating cyber risk.
All of this information is required to be released as part of the longstanding 10-k disclosure process and the first disclosures will be required for companies due to release their 10-k after mid-December 2023. Note that the SEC did not provide detailed guidance on how to provide these disclosures. They did not mandate specific elements for inclusion in these disclosures, provided no lexicon/framework, and remained silent on the granularity of detail sought. The SEC’s primary focus is transparency at-large – leaving the particulars to the discretion of each company’s leadership.
Incident Disclosures
In addition to the annual disclosure requirements, the SEC has mandated that companies reveal material cyber incidents. Consistent with the approach to annual disclosures, the SEC did not provide a definition of what conditions are required to produce an incident that rises to be material. The notion of public disclosure of material incidents is not new, so the SEC will rely on existing case law and precedents for gauging the materiality of cyber incidents, just as companies have to evaluate the materiality of other business incidents such as natural disasters, currency fluctuations, factory fires, etc.
There is one nuance in incident disclosure where the SEC issued a prescriptive requirement – the timeliness of such disclosures. Per the SEC rules, companies must disclose material incidents within four business days of reaching the determination of materiality. Note that this is not four days from when the incident occurred or was discovered, but four days from when the determination of materiality has been completed. This is in alignment with other material non-cyber disclosures as the SEC seeks to treat cyber risks in similar fashion to all other business risks.
Adoption Challenges
The degree of difficulty in adopting these new rules will vary widely, based on a company’s current level of sophistication in managing cyber risk. For large, sophisticated organizations with highly-developed cyber risk management capabilities, this adoption will require only modest effort – likely focused primarily on the initial release of information for inclusion in the first year’s 10-k.
However, companies with more informal cyber risk management capabilities will likely face a far more difficult adoption. Many have historically relied on a reactive, ad hoc approach to handling cyber matters, relying on the creativity and nimbleness of directors and officers in responding to situations as they emerge. Those informal and reactive methods are rarely documented in clear, concise terms, with unambiguous processes and roles that would give transparency and comfort to investors. For these firms, the fourth quarter of 2023 could require an intense first-time documentation of such practices with sufficient clarity – and legal approval – to be ready for formal disclosure in an SEC 10-k.
In addition to the mechanics of risk management and governance, there are key strategic decisions that must be made that will require the alignment of the board and the executive team. One key alignment is the definition of materiality. As part of an organization’s risk management process, there needs to be agreement on the parameters of cyber risk that will be considered when evaluating a cyber incident. Typical considerations include the costs associated with technical resumption of operations, costs associated with litigation and fines, loss of brand goodwill, and unrecoverable lost revenue. Each incident may involve different portions of these, and many other considerations and an exact formula isn’t feasible. However, it is feasible – and expected – that directors and officers understand the potential mix of impacts in determining materiality and align on the mechanics of rapidly evaluating these as a fast-moving cyber incident is unfolding.
Key Focus Areas
Compliance with the SEC rules will be based on key foundational capabilities that are not new but will be more visible given the transparency requirements. In parallel with drafting the materials for annual disclosure, it will be important to ensure that the underlying processes, tools, and capabilities are sufficiently robust to enable actual cyber defense and response to incidents. Some of these key focus areas include:
- Incident Classification: there should exist a well-understood, pre-defined methodology for classifying cyber incidents, especially those that are ultimately defined as material. A clear lexicon of terms as well as roles and responsibilities for detecting and making key decisions in a timely basis will be fundamental.
- Incident Response: there should exist a well-structured and efficient process for managing the remediation and recovery of any incident, regardless of materiality. This will include clear identification of roles such as Incident Commander and other key technical support roles.
- Crisis Response Plans: the capabilities for managing external communications need to be well-established in advance and it is important that this exist as a separate, specialized capability in the communications organization. This is often mistakenly presumed to be included as part of an Incident Response Process, which is more appropriately a technology and operations role with different roles and skills needed for communication with media, regulators, and shareholders.
- Regular Testing: rapid materiality determination and disclosure will require efficient execution and coordination. To ensure everyone is clear on the given processes and roles, drills should be conducted on a routine basis, along with after-action reviews to identify areas of improvement.
Critical Infrastructure Considerations
The SEC’s new cybersecurity rules are designed to enhance investor understanding and trust regarding cyber risk. More specific and frequent disclosures will likely advance this aim significantly, while at the same time creating several key challenges that operators of critical infrastructure will need to grapple with:
- Pay Now or Pay Later. Additional demands on already-strapped experts could be material in companies who are relatively low in their cyber risk management maturities. It will be important to recognize the incremental demands on those resources and budget accordingly with appropriate staffing and enabling technologies. Adopting the new requirements won’t “just happen” – specific accountabilities and priorities need to be defined and funded.
- Regulator Bingo. The SEC is one of many key regulators that the cyber risk program must account for. In parallel with the SEC reporting requirements, CISA is finalizing its own incident reporting requirements that will likely be more technical and detailed in nature. Both will seek information on the most relevant, “material” incidents and companies will need to ensure which – or both – regulator requires reporting on which incidents. Key sectors like the electricity industry are already intimately familiar with NERC-CIP requirements that must simultaneously be addressed – and that is just in the United States – similar regulators exist in many other key geographies. Companies need to have an integrated, holistic strategy for harmonizing and synchronizing all these existing regulatory requirements and start building capacity for the inevitable addition of others.
- Materiality Beyond First-Party. In addition to the traditional litmus test of materiality as it affects a company’s shareholders, critical infrastructure companies can have material impact on stakeholders beyond shareholders. Imagine energy refineries that suffer a hack to industrial control systems that result in physical damage of assets and the release of toxic chemicals, explosions, or fires. Traditional first-party risk management processes will account for the materiality of such incidents to shareholders, the knock-on effect to adjacent communities and the broader commercial ecosystem will also need to be planned for and managed.
Brian Walker, CAP CEO and Founder, shared his perspectives in the latest edition of the Forbes Technology Council. There will be major considerations for both the CISOs and the companies they seek to protect.
Click here to read the full article in the Journal of Critical Infrastructure Policy
Click here to join the conversation in LinkedIn