For over a decade, the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. On 26 July 2023, the SEC voted to implement new rules for all publicly traded corporations.[1] [2]
In 2011, the SEC issued guidance to help companies understand they should take responsibility for reducing cyber risk. This was guidance vice formal regulation, but it helped raise awareness and underscore for corporations that they had responsibilities to shareholders to seek to mitigate cyber risk. In 2018, the SEC issued new guidance to expand on and strengthen their previous guidance. But still, there is a difference in guidance and regulation. Many companies either did not notice or perhaps felt that their protections mitigated risk well enough, and the guidance was not that impactful.[3]
In March 2022 the SEC published a draft set of proposed new rules that would make aspects of cybersecurity reporting and governance mandatory. After extensive industry feedback, the SEC held an open meeting on 26 July 2023 and voted on and approved the final rules.
The new rules are far stronger than previous interpretive guidance. The stated objective of these rules is to strengthen investors' ability to evaluate public company cybersecurity practices and incident reporting. The rules will ensure corporations provide consistent, comparable, and useful information to shareholders in two major categories:
- Information on incidents that may have a material impact on shareholder opinions and
- Information on governance processes designed to mitigate cyber risks.
In the first category, companies must disclose any materially relevant cyber incident. These would have to be disclosed within four days after the decision is made that they are materially relevant and will be disclosed on a Form 8K (the term materiality is used in the same way as it has been in previous SEC guidance on security: If an investor would consider it essential to know, it is considered material). The final rules make it clear that determinations on materiality are expected to happen expeditiously.
In the second category, companies will have to disclose information on their risk management and governance strategies. The SEC is looking for a lot more disclosure on these topics than they have in the past, including details on how the corporation assesses, identifies, and manages material risks from cybersecurity threats and the material effects from threats. The role of boards in director oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from threats must also be disclosed. These rules will be effective quickly. Disclosures will begin with the Form 10-k and 20-f disclosures with annual reports for fiscal years ending on or after 15 December 2023 (smaller companies are being given some leeway here).
The rules clarify that the corporate board will have new responsibilities in cyber risk management. However, the rules differ from the drafts in that boards do not have to disclose whether there is cyber expertise on their board. Boards should be talking with management now to ensure clarity on new reporting requirements for incidents and for cyber risk mitigation governance. A gap assessment should be conducted.
All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can rapidly evaluate board expertise relevant to the cybersecurity qualifications expected by the SEC. They can recommend additional training for the full board or the board-designated cyber expert.
Although not required by SEC guidance, many boards have already decided to form cybersecurity committees so a few designated board members can work on issues outside of board meetings. External advice can help the board evaluate whether this is the right approach for the mission and function of the board.
See: https://www.redskyalliance.com/redxray
What can boards do better? Be a part of the solution by assigning a board member access to Red Sky Alliance’s RedXray service that will allow a user to monitor their own company’s cyber health daily. It is easy to use, and only targeted cyber threat intelligence will be delivered. Since the SEC wants boards to be informed and active in preventing cyberattacks, why not use RedXray as a C-suite information service to overlay the company’s current cyber threat department and services?
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.oodaloop.com/wp-content/uploads/2023/07/sec-final-rules-cybersecurity-33-11216.pdf
[2] https://www.oodaloop.com/wp-content/uploads/2023/07/public-company-cyber-disclosures-33-11216-fact-sheet.pdf
[3] https://www.oodaloop.com/archive/2023/07/26/the-sec-announces-final-cybersecurity-rules-what-the-c-suite-needs-to-know-and-do/
Comments