Beginning in December, public companies will be subject to new rules regarding periodic and incident reporting for cybersecurity. On July 26, the U.S. Securities Exchange and Commission (SEC) voted 3-2 to adopt its final rules on public company cybersecurity disclosures.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” SEC Chair Gary Gensler said in a statement on the rules.
What do these rules mean for public companies, and are they prepared to comply?
What Are the New Rules?
Under the new rules, public companies will be required to disclose information on cybersecurity risk management, strategy, and governance in the annual reports included with their 10-Ks.
Public companies will also be required to report material cybersecurity incidents within four days via 8-Ks. It is important to note that the four-day rule begins once a company has determined a cybersecurity to be material, not when the incident is first discovered.
The SEC announced its proposed rules for public company cybersecurity disclosures in March 2022. Lenny Zeltser, CISO of cybersecurity asset management company Axonius, tells InformationWeek that there are some differences between the proposed rules and their final version. For example, the proposed rule would have required “registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
The SEC ultimately decided against adopting this proposed provision. Despite some disappointment in the cybersecurity community, Zeltser argues that the new rules incentivize more attention on cybersecurity.
“It’s natural to review the final rule from the perspective of what could have been and not notice the benefits it offers,” he says. “Cybersecurity professionals in public companies are better off today than before the final rule’s passing, and that’s worth celebrating.”
What Is a Material Incident?
The SEC’s rules have sparked much discussion about what will qualify as a “material cybersecurity incident.” The SEC has opted not to provide a definition.
“Carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice, and would not be consistent with the intent of the final rules,” according to the final rule.
It will be up to public companies to determine what constitutes a material cybersecurity incident.
Incidents that would impact investors’ decisions to invest or divest or cause shareholders to vote differently on a particular issue most likely would be considered material, Jeffrey Wheatman, senior vice president, cyber risk evangelist at third-party risk management company Black Kite.
“In a single sentence: if the CEO and their direct reports would care about the impact, it’s probably material,” he says.
While the rules leave room for companies to define materiality, that space for interpretation may come with concerns. “Unfortunately, concerns about potential liability for getting it wrong likely makes this flexibility feel less like an opportunity and more like a risk,” explains Dave Stapleton, CISO of third-party risk management company CyberGRX.
Materiality likely won’t be determined by a concrete formula. “Determining materiality for cybersecurity will, in my opinion, require an integrated view of risk — tying cybersecurity to critical areas of the business operations. Without this view, the impact on a reasonable investor cannot be determined,” says John Wheeler, a senior advisor for AuditBoard, an audit, compliance, and risk management software company.
Are Public Companies Prepared?
These new cybersecurity rules are not the first public reporting requirements for public companies. The SEC’s Gensler pointed to the Sarbanes-Oxley Act in his statement on the new rules. The federal act, passed in 2002, focuses on financial reporting and disclosure.
Companies subject to other requirements like this may have processes in place what will make compliance easier. “Companies may leverage existing disclosure processes and expertise in complying with the cybersecurity disclosure requirements,” says Wheeler. “However, some smaller companies may need more resources and mature reporting regimes.”
While cybersecurity has come to the fore in recent years, many companies will struggle with resourcing and getting everyone on board with its importance.
“While CISOs have been briefing boards for a while, there is still a disconnect between cybersecurity risks and business impact. Most business leaders know cybersecurity is important but are often unable to articulate the ‘why,’” Wheatman contends.
Stapleton argues that the requirements demand a level of programmatic maturity and executive coordination that will be difficult for many companies to achieve in the near term. “Historically we’ve shown that incident response is a weak point that many companies struggle with even in the absence of the new requirements,” he says.
How Can Companies Get Ready for Compliance?
Regardless of where public companies are in their cybersecurity journeys, they will need to get ready to comply with the SEC’s new rules. This means determining which leaders need to be involved, agreeing on how to determine materiality, and establishing a process for filing.
The SEC’s requirements emphasize board-level involvement. Board members will play a role in a company’s cybersecurity risk management, which will need to be reported annually via a company’s 10-K. Boards will also need to participate in the public incident reporting requirement. But board members are just one piece of the puzzle. Other C-suite members, as well as the legal team, all have a stake in ensuring compliance.
These rules have the opportunity to spotlight the importance of the CISO role. “The board and senior leadership should consider empowering and embracing the CISO or equivalent role. Allowing that individual to have a voice and be part of the conversation is critical,” says Jeremy Ventura, director of security strategy and field CISO at ThreatX, an API and web application protection company.
Once a company’s leadership is aligned, the key stakeholders need a way to determine materiality, before an incident happens, to ensure any cybersecurity incident can swiftly be defined and then reported within the four-day window, if necessary. “Deep in the throes of an ongoing incident is no time to begin arguing about what constitutes material impact,” says Stapleton.
Leadership teams will need to take a long, hard look at how cybersecurity risk maps to enterprise risk, which will require communication and coordination between business and security leaders. “Implementing an integrated risk management (IRM) program and enabling technology is crucial for companies to link cybersecurity risk to operational and enterprise risk, allowing for determining materiality,” says Wheeler.
Companies can also prepare their filing processes ahead of the December deadline for compliance. Wheatman recommends “creating a process for drafting 8-Ks faster, which can include a template for different types of incidents to meet the deadline for reporting them, but public companies should already be doing this.”
While these rules are for public companies, private companies have reason to take note as well. Private companies that operate as vendors for public companies may need to consider the impact of these rules.
The private sector could also benefit from paying attention to these rules because it’s possible they will become a benchmark for all companies. Wheatman offers the Sarbanes-Oxley Act as an example. Although not all companies are required to adhere to that law, most use it to govern their financial accounting and reporting, he explains.
“The security practices at public companies can inform and inspire the way private companies think about their own security programs and the role that their management and boards play in cybersecurity risk management,” Zeltser adds.
Leadership teams will not only need to think through how to be compliant. They will also need to be prepared for what the future of compliance means for their companies.
“The public disclosure of these incidents will bring additional scrutiny and companies will be under pressure to find the right balance between meeting their disclosure requirements and risking liability or future security incidents by disclosing too much information,” says Stapleton.
What Could Enforcement Look Like?
Non-compliance with SEC rules leaves companies vulnerable to the risk of fines, sanctions, and criminal prosecution. The SEC has taken action against companies and individuals following cybersecurity incidents. The agency recently sent Wells Notices to current and former employees of SolarWinds in connection to the 2020 cyberattack that impacted its Orion supply chain software. Wells Notices indicate the potential for civil enforcement action.
“Expect more of these Wells Notices and other types of enforcement actions, including termination of employment, bans on working at other publicly traded companies, and of course, major fines against the business and individual(s),” says Ventura.