What do the rules require?
The rules can be broken down into three key requirements:
- Incident Disclosures: Companies must disclose when they experience a material cybersecurity incident and must do so within four business days of determining the materiality. The disclosure should describe the material aspects of the nature, scope, timing, and material impact of the incident.
- Risk Management: Companies must also annually disclose their processes, if any, to assess, identify, and manage material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
- Governance: Companies must also annually disclose the board’s oversight, management’s role in assessing and managing material risks from cybersecurity threats, and how they are kept informed.
What constitutes material impact?
The SEC evaluates cybersecurity incidents based on a materiality standard—whether the information would significantly impact investor decisions. The disclosure focuses primarily on the impacts of a material cybersecurity incident rather than on requiring details regarding the incident itself.
Among the examples of material impact are harm to a company’s reputation, customer or vendor relationships, or competitiveness. Similarly, the possibility of litigation or regulatory investigations or actions may constitute a reasonably likely material impact on the company. The SEC expects that most organizations’ materiality analyses will include consideration of the financial implications of a cybersecurity incident, so information regarding the incident’s impact on the registrant’s financial condition and results of operations will likely have already been developed.
What detail is sufficient for risk management disclosures?
When describing their risk management processes, companies should address the following:
(i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
(ii) Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
(iii) Whether the registrant has processes to oversee and identify risks from cybersecurity threats associated with using any third-party service provider.
Companies should also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect them materially, including their business strategy, results of operations, or financial condition, and if so, how.
What steps are required for compliance?
An organization that is already subject to and meets compliance requirements under other laws like HIPAA or GDPR should have the necessary processes and systems to meet the bulk of the requirements under these rules. However, the SEC requirements are distinguished from similar requirements found in HIPAA or GDPR because they focus on the consequences for the company that are material to investors and whose timing is tied not to discovery but to a materiality determination.
Similarly, requiring that companies provide disclosures about risk management and governance annually is not an additional burden for most public companies with mature cybersecurity programs that already undergo a SOC-2 or ISO-27001 audit annually. Those audits require companies to document their risk management and governance processes. However, that documentation may need to be tailored to focus on material risks in sufficient detail for a reasonable investor to understand those processes to meet SEC requirements.
Key Takeaways
The SEC rules have significant implications for CISOs, as well as the legal counsels and risk advisors who assist them with compliance. Here are some key takeaways:
- Materiality is Key: Materiality analysis doesn’t require risk quantification (FAIR model) but rather reasonable assessments of risk, considering, among others, the financial, reputational, and operational impact. Existing security frameworks such as NYDFS 500.9 and CFR Cybersecurity Regulations CFR Part 314.4 include an assessment of material security threats that may be helpful in the SEC materiality analysis.
- Disclosures Must Be Timely and Accurate: The SEC charged SolarWinds for inadequate disclosures despite claiming NIST NSF compliance. The case signals increased accountability for accuracy in cybersecurity reporting. CISOs should carefully work with the legal counsel and risk advisors to ensure they disclose material gaps and provide timely, comprehensive disclosures consistent with their security posture.
- Privilege and Liability Protection is Critical:The SEC rules may leave companies open to shareholder lawsuits if disclosures do not match security postures and CISOs open to personal liability. CISOs should work closely with their legal counsel and risk advisors to help protect privilege and limit liability by working carefully with the legal counsel to handle reports to the board. D&O and cyber insurance policies should be reviewed for potential gaps in coverage.
- Understand Interplay with Cyber Insurance: SEC disclosure rules dovetails with cyber insurance underwriting. Suppose the company’s posture doesn’t match what it disclosed to the SEC. In that case, the SEC, the insurance company, and the shareholders can also have a case against the company for misrepresentation. On the other hand, any organization that has obtained cyber insurance commensurate with its risk exposure would have already done some level of risk quantification and would have known the financial harm should certain assets get compromised, which in turn helps with SEC disclosure requirements.
- Board Oversight is Crucial: Though boards need not become experts, CISOs, their legal counsels, and risk advisors can guide them in monitoring controls and accessing cybersecurity expertise through educational programs. Cybersecurity should become a regular agenda item at board meetings.
- Benchmark Your Security: Reference existing cybersecurity frameworks like NIST when reviewing your maturity and regulatory expectations for “reasonable security.” CISOs should map programs to authoritative benchmarks and address any gaps.
- Emphasize Cybersecurity Governance: CISOs should activate cybersecurity incident response teams within their organizations and develop collaborative cross-departmental governance policies/programs per legal requirements. They should ensure proper upward reporting procedures are in place.
In conclusion, CISOs should proactively address cybersecurity risk management requirements under the SEC rules to help avoid potential liability for themselves and their organizations.