Cyber attacks keep growing in sophistication, relentlessness, and destructiveness, with cyber criminals finding new ways to evade detection and exploit or re-weaponize vulnerabilities. Every company should feel urgency about maturing cybersecurity risk management. That’s the core message behind the heightened regulatory focus on cybersecurity — and with the expected finalization of the U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure requirements for public companies within the next couple of months, it’s about to get real. These requirements will have a significant impact on your organization and role.
If you’re a leader at a private company, you may be thinking, “But this doesn’t apply to me.” You’re right. Officially, it doesn’t. But investors and other stakeholders often hold private companies to the same standards as public companies, and the SEC’s public-company draft rules are a good example of what we can expect from other cybersecurity legislation on the horizon, much of which goes beyond public companies. Most importantly, to find a cybersecurity solution for everyone, we need to admit that cybersecurity is everyone’s problem. Whatever your business or industry, it’s time to get your head around the SEC’s proposed cybersecurity disclosure rules and similar legislation expected in 2023. It’s also time to get the right processes in place — not just to comply with requirements, but to ensure you’re doing the right things to protect, defend, and enhance your business.
Understanding the Draft SEC Cybersecurity Rules for Public Companies
The tables below simplify the how, when, and what of the draft requirements. It’s noteworthy that these mandatory disclosures will be made via 8-K, 10-Q, or 10-K filings, meaning that all information becomes public record. There are no requirements for the SEC to keep any information non-public. That means investors and other stakeholders can use it in their decision-making — and regulators and attorneys can use it for their purposes. That said, it’s also noteworthy that the SEC’s most recent cybersecurity risk management proposal for registered investment advisers and market entities (reopened for public comment in March 2023) proposes a different solution, stipulating that advisers will report significant cybersecurity incidents to the SEC within 48 hours using new Form ADV-C.
Proposed Disclosure Requirements for Material Cybersecurity Incidents
Keeping it simple, the proposed immediate reporting requirements are about being able to:
- Identify material cybersecurity incidents.
- Quantify their impact.
There would be a lot to pull together in a very short time frame, from material incident to 8-K filing. For most organizations, this would require much more timely investigation and quantification around cybersecurity risk than is being done today.
Immediate Reporting — Material Cybersecurity Incidents
- Form: 8-K
- Timing: 4 business days
- Information:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose
- Effect of the incident on the company’s operations
- Whether the company has remediated or is currently remediating the incident
Next, the periodic requirements would hold companies accountable for updates on how they’re remediating material incidents, and for considering how individually immaterial but related incidents may become material in the aggregate. For example, maybe your company had a number of individually immaterial data-leakage incidents resulting from poor access controls. When you tie them together — looking at how they’re impacting different business units or customers — they may become material, requiring disclosure.
Periodic Reporting — Material Cybersecurity Incidents
- Form: 10-Q and/or 10-K
- Timing: Quarterly and/or annually
- Information:
- Same as required information on current reporting.
- Include any previously undisclosed, immaterial cybersecurity incidents that are clearly related and have become material in the aggregate.
- Include any updates on individually material cybersecurity incidents.
Proposed Disclosure Requirements for Cybersecurity Risk Management and Governance
The remaining requirements in the SEC’s public-company proposal aim to provide a consistent, comparable view of cybersecurity risk management programs that offers insight into program capabilities, strategy, and effectiveness. To this end, companies would be required to affirm whether they have a cybersecurity risk assessment program, how it works, how it fits into strategy and planning, and whether it uses (and how it chooses) third parties. Notably, this would include disclosing how specific risks and incidents impacted operations or finances and/or led to changes in governance, technology use, and policies/procedures.
Cybersecurity Risk Management
- Form: 10-K
- Timing: Annually
- Information:
- If the company has a cybersecurity risk assessment program and a program description
- Use of consultants and/or other third parties in cybersecurity risk assessment
- The company’s cybersecurity policies and procedures to select and oversee third-party service providers
- Activities to prevent, detect, and minimize effects of cybersecurity incidents
- Use of business continuity, contingency, and recovery plans
- Previous cybersecurity incidents leading to changes in cybersecurity governance, policies & procedures, and technologies
- Risks and incidents affecting the results of operations or financial condition and, if so, how
- How cybersecurity risks are part of business strategy, financial planning, and capital allocation
Finally, the proposed governance requirements would ask companies to account for how cybersecurity risk management is overseen at the board level, and assessed and implemented at the management level. That includes identifying who on the board is responsible (person/committee), how they’re informed about cybersecurity risks, and whether they have cybersecurity expertise. Taken together, these proposed requirements encourage a fresh look at how cybersecurity risk management connects with strategy and integrates with overall risk management.
Cybersecurity Governance
- Form: 10-K
- Timing: Annually
- Information:
- Management’s role in assessing and managing cybersecurity risks and implementing the company’s cybersecurity policies and procedures
- Cybersecurity expertise of members of the board, if any
- Board oversight of cybersecurity risks and associated processes, including:
- Who on the board is responsible for the oversight of cybersecurity risks
- The process by which the board is informed about cybersecurity risks
- The frequency with which the board is informed about cybersecurity risks
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight
More Cybersecurity Disclosure Requirements Expected in 2023
The proposals below are also likely to come to fruition in 2023. I’m not going to drill into these as deeply, but the trends are striking. In particular, all three require some form of examination to ensure that certifications or statements can be backed up.
NYDFS 23 NYCRR Part 500 Amendment
The New York State Department of Financial Services (NYDFS) — a primary overseer of Wall Street financial institutions — has long been a leading indicator of regulatory trends. While NYDFS has required institutions to maintain adequate cybersecurity for years, a proposed amendment adds a major requirement. A Chief Information Security Officer responsible for overseeing and implementing cybersecurity policy will annually have to certify new and existing cybersecurity requirements, including details about their authority and responsibilities, the senior governing body overseeing cybersecurity risk, specific practices (e.g., access management, multi-factor authentication, training/monitoring), and business continuity, disaster recovery, and incident response plans.
SEC Cybersecurity Requirements for Investment Advisers and Private Funds
SEC efforts have already gone beyond public-company requirements to focus on the arena of investment advisers, registered investment companies, and business development companies associated with investments. The proposed rule goes into greater depth than the public-company requirements, including disclosure of third-party risk management policies and procedures and record-keeping requirements that facilitate SEC inspection and enforcement. As indicated earlier, the SEC’s most recent reproposal included a proposed amendment that advisers will use a new Form ADV-C to report significant cybersecurity incidents to the SEC — a different solution than currently proposed in the public-company draft cybersecurity rules.
U.S. Department of Defense (DoD) CMMC 2.0 Certification
DoD’s interim rule implementing its Cybersecurity Maturity Model Certification (CMMC) program took effect in 2020. CMMC 2.0 (anticipated finalization in May) will streamline requirements, and some updates are expected to echo NYDFS’ rules. For example, audits will be required every three years for a critical subset of contractors, but during non-audit years, senior executives will have to certify that nothing has materially changed.
5 Steps to Prepare for Cybersecurity Compliance
The best way to organize your to-do list is to start at the end and work backwards: Make sure you understand the draft requirements, and let that guide your analysis of what needs to be done. Look beyond disclosure preparation to ensure you have infrastructure in place to meet the proposed requirements. A basic action plan:
- Perform gap assessment. Identify the gaps between the SEC’s proposed disclosure requirements and current practices. Assign accountability for remediation.
- Integrate disclosure processes. Don’t make the mistake of creating a separate process that will be burdensome and costly to maintain. Instead, identify how your cybersecurity program will integrate with your current disclosure process. Determine who will be involved and how. Include legal.
- Update incident management process. Determine how you’ll modify your process to consider materiality and ongoing reporting/monitoring. Consistency is crucial in determining materiality and disclosing issues, so that the same methodology, process, and controls apply for cybersecurity as for operational or financial statement issues.
- Engage board of directors early. Help the board understand the proposed requirements. Work together to determine governance changes needed.
- Leverage technology. Get the right technology in place to integrate risk management and communication and streamline disclosures, whether that’s a single integrated solution or individual solutions you tie together.
Most companies have work to do in connecting technology and teams. A 2023 AuditBoard poll of 3,400+ audit, risk, and compliance leaders found that 49% currently use individual security or risk management applications to monitor cybersecurity risks and incidents. Another 12.6% use internal communication/collaboration tech (e.g., Jira, project management tools), 9.5% still use tools like spreadsheets, slide decks, and emails, and 17% were “unsure.” Only 11.7% of respondents indicated that they currently use integrated risk management technology platforms to monitor cybersecurity risks and incidents.
Integrated Technology Solutions for Integrated Risk Management
The coming cybersecurity disclosure requirements are part of a larger trend toward integrated reporting and risk management. Just like standalone financial reports don’t give the full picture of how a business is doing, disconnected technologies aren’t effective in meeting today’s risk management challenges. Integrated technology solutions bring together different data and perspectives into a common risk framework — creating an integrated view of risk that connects people, increases understanding, enables prioritization, and supports performance, resilience, assurance, and compliance. If your organization is still dragging its feet on integrating risk management, 2023 is a great opportunity to get moving.
