The SEC has finalized and voted on the new amendments for public disclosures on cybersecurity. Let’s breakdown what’s going into effect.
Item 1.05 – Disclosing material cybersecurity incidents
This seems to be the most talked about aspect of the amendment. It requires “any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”
There are 2 caveats to this if the disclosure poses a substantial risk to national security or if there’s a conflicting Federal requirement to report. On the latter, there is only 1 identified by the SEC and that’s for those under FCC regulations where a seven day reporting is required.
Each company will have to determine what is “material” to them. Most conversations I’ve seen center this on the financial team determining impact based on revenue or profit. The definition of material will ultimately be up to the registrant (the SEC’s term for the company).
Prerequisite: The key here is that the 4 days is after the company determines that a cybersecurity incident is material. A company would need a detection and response capability, along with a level of forensics, to be able to properly discover, react, and then present the right information to the company decision makers on it’s materiality. You’d also need legal counsel to help make the right decisions on if this is an incident. An incident response plan (IRP) with clearly identified roles would enable this. Ideally, an IRP that’s been through a table top exercise (TTX).
This is a significant requirement being outlined here and one that has a number of capabilities to be able to meet. It’s not as simple as “being able to report in 4 days”.
Item 106 – Risk Management and Strategy
SEC is requiring a few items here and it’s slimmed down from the proposed rules:
“(1) Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
(ii) Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
(iii) Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
(2) Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.”
In reality, if there’s no program in place this will be an easy section to write for public companies… “No processes in place for cybersecurity”. That’s not likely to happen, so what would be required in order to have a well written disclosure?
Prerequisite: Without citing a specific standard or framework, this would mirror the expectations of a program built on NIST CSF or other modern control based frameworks. A company would need a cybersecurity program. One that starts with (and expects regular) risk assessment of the current state, establishing a target state, and crafting a roadmap to get from one to the next.
It’s basic and direct.
Conduct a risk assessment, use 3rd parties to validate results, and establish a set of policies and process in a program to be governed. The disclosures expected will require a level of detail on a company’s overall cybersecurity program, it’s governance, reporting, and maturation plans over time. Without an established program, it would be impossible to meet this requirement. It’s more than just proving written policies are documented.
The SEC is looking for an established cybersecurity program. And one that factors in the risks posed by the use of third parties.
Item 106 – Governance
This one backed off the cybersecurity expertise requirement of Board members (I think much to the chagrin of DDN and other’s posturing that CISOs would be scooped up to be board members solely because they’re CISOs). It does keep the board’s oversight of risk from cyber threats in place.
“(1) Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.”
Prerequisite: Here we’ll expect disclosures to outline how the Board hears about risk and on what cadence. The outline should include if there’s a CISO, how regular they present, what metrics are being reviewed, and how incidents are handled when brought to a Board level. A description of whether this is discussed at the full Board, the Audit committee, or even a smaller pairing of directors.
“(2) Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:
(i) Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise; [1]
(ii) The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
(iii) Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
[1] Relevant expertise of management in Item 106(c)(2)(i) may include, for example: Prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.”
Prerequisite: Here is the connector the two sections in Item 106. A well written disclosure, one that would give investors comfort in that public company’s ability to address cybersecurity, would include that cybersecurity is management’s responsibility and how it’s assessed then managed. Ideally, this has a named experienced CISO or reputable third-party vCISO provider in place. They are empowered with both the correct authority and the financial resources to implement a cybersecurity that’s worthy of publicly disclosing. Under the CISO, there is a program that is effective and looks to mirror NIST CSF (or other standards) in it’s ability to “monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents”.
I don’t see a lackluster or bare minimum cyber program being able to withstand investor scrutiny of this requirement.
Conclusion
Overall I think the SEC did the right thing with these amendments. When compared to the proposed rule, yes, it’s lacking.
Consider if we never saw the proposed rule. This final rule and amendments would still be a step in the right direction for transparency to investors.
If you’re one of the almost 9,000 public companies under SEC rules and need guidance on how to meet these new rules, contact us.
