SEC Public Company Cybersecurity Disclosure Proposed Rules: Your Top Questions Answered

SEC Public Company Cybersecurity Disclosure Proposed Rules: Your Top Questions Answered

Cybersecurity has been a top risk to businesses for several years, and most businesses have taken this threat very seriously. Companies’ actions to mitigate cybersecurity risk are not generally visible to the public, so investors are often in the dark when deciding which companies are good options for their investments. 

The U.S. Securities and Exchange Commission (SEC) recognizes the importance of this information, and in an effort to increase transparency it has proposed new cybersecurity disclosure rules for public companies. The proposal is open for public comments for 60 days until May 9, 2022. If you want your voice to be heard, you need to act now. To assist you in your preparation, this article answers key questions you likely have related to the proposal. 

What are the SEC’s public company cybersecurity disclosure proposed rules?

The SEC has proposed new rules related to cybersecurity disclosure in public company financial statements. Based on these rules, public companies are required to disclose the following:

Immediate Disclosure

  • Any material cybersecurity incidents that occurred during the fiscal year (or series of smaller incidents that add up to a material amount) are to be included in Form 8-K within four business days after discovering the event.

Annual Disclosure

  • Previously undisclosed individually immaterial cybersecurity incidents that have become material in the aggregate.
  • The policies and procedures management has in place for cybersecurity risk management.
  • An explanation of management’s role in implementing policies and procedures for cybersecurity risk management.
  • The level of expertise and oversight provided by the board of directors on cybersecurity risk management.
  • Any updates about previously reported material cybersecurity incidents.

The rules are meant to provide a consistent and comparable view of cybersecurity risk management programs across public companies that include insight into their risk strategy, governance capability, and program effectiveness. 

How does the SEC define a cybersecurity incident?

A key point in the proposal is located in a footnote where the SEC provides its definition for the term “cybersecurity incident” as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardize the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” They go on to define information systems as “information resources, owned or used by the registrant, including physical or virtual infrastructure.” The definition is very broad and would include both internal systems and externally hosted systems, which reinforces the need for management to understand the risk associated with third-party applications. Incidents also include accidental and intentional data exposure.

Who do the proposed SEC cybersecurity disclosure rules impact?

Based on the current proposal, the SEC plans for the rules to apply to all publicly traded companies in the US. In the past, the SEC encouraged all companies to include cybersecurity disclosures in their financial statements, but the SEC’s own research showed that in 2020 only about 64% of the companies did so on their own. Among those who did include commentary, the content was inconsistent and not useful for stakeholders. By requiring all companies to provide the same type of information, investors, suppliers, customers, and any other stakeholders should be able to understand how a company manages its cybersecurity risk. 

When will the proposed SEC cybersecurity disclosure rules take effect?

The SEC’s cybersecurity disclosure rules are currently being proposed with no set date for release. As a general practice, SEC rulemaking goes through four stages: proposal, conceptual release, final release, and finally the rule takes effect. This proposal has been published and the SEC is gathering comments. The final release may take several months to a year, but business leaders should take this as a clear signal from the SEC that they intend to include cybersecurity disclosures, regardless of how the final release differs from the proposed draft. 

What do the new SEC cybersecurity disclosure rules mean for my company?

The rules are currently in a proposed status, so now is the time for you to evaluate your company’s current state and plan for compliance. We highly suggest you read through the proposal to understand what the SEC is proposing and add your thoughts to the public commentary while there is still time. To prepare your cybersecurity risk management program for disclosure reporting, your company will need to assess whether the board has a cybersecurity subject matter expert, ensure cyber incidents are tracked individually and in aggregate, draft cybersecurity policies, procedures, and controls, and decide who will take responsibility for control testing procedures. 

How can technology help with SEC cybersecurity disclosure?

Given the rapid four business day requirement, technology will be essential to enable the quick identification, root cause/impact analysis, materiality determination and stakeholder review. Disclosure of cybersecurity incidents will need the same rigorous review and control as other SEC-mandated financial disclosure. As such, many stakeholders will need to be involved including legal, finance, communications, information technology, internal audit, external audit, security, senior executives, board members, and others. Compliance management technology designed to facilitate an integrated analysis and review process will be essential to effective disclosure.

The InfoSec Survival Guide: Achieving Continuous Compliance

Starting Planning Now for Potential Cybersecurity Disclosure Requirements

The SEC’s proposed rules are meant to add a measure of consistency and transparency to cybersecurity disclosures. The information they are asking for is not new, and public companies should have a strong cybersecurity foundation already. If your program is not as mature as you would like, or if you need to tighten up the program to facilitate the reporting process better, do it now. Waiting until the proposal becomes a requirement will leave your organization with less time and unnecessary stress to pull the information together. In the coming weeks we will share additional guidance to help you prepare a disclosure and to evaluate your company’s readiness for the proposed rule. Now is also a good time to look into how technology can help you transform your cybersecurity risk management program to gain a competitive edge.

John

John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.

Richard

Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.