[author: Matt Kelly, Radical Compliance]
Corporate risk and compliance officers are already working under an influx of cybersecurity-related concerns, so you may have missed this latest news: The US Securities and Exchange Commission has proposed new rules for a increased disclosure of cybersecurity issues.
For now, these proposed rules are just that: proposals. They are not final rules that will go into effect today, where public companies must review their processes to document and disclose cybersecurity events immediately. But the enhanced disclosure rules are coming soon. Compliance and risk officers should consider what the SEC is trying to accomplish here and the implications for their risk oversight duties.
We can divide the SEC’s proposed rules into two parts.
First, public companies would have to disclose their comprehensive approach to managing cybersecurity risks (in the annual report), which includes:
- The policies and procedures used to identify and manage cybersecurity risks.
- The role of management in the implementation of cybersecurity policies and procedures
- The cybersecurity expertise of the board of directors, if any, and their oversight of cybersecurity risk
Second, companies would also have to disclose “major cybersecurity incidents” within four days of a decision that a cybersecurity lapse is indeed major, through the filing of Form 8-K.
We don’t know what the final version of these proposed rules will be, and we won’t know for at least several months yet. Still, you can already see the overall goal that the SEC is trying to achieve.
The SEC is trying to push for better oversight of cybersecurity risks by pushing companies to be more forthcoming with investors about how those risks are managed.
That will have big implications for how the board of directors, risk management, compliance, and IT security teams approach cybersecurity.
First, risk supervision
We can start with the proposed annual disclosures about how the company manages cybersecurity risks. The key is the third point above: reporting on cybersecurity oversight by the board.
The SEC and many other prominent voices in corporate governance have long said that the board should be responsible for ensuring cybersecurity risks are addressed. The SEC’s proposed rules underscore that demand, because if the board doesn’t take responsibility for cybersecurity, the company will have to disclose it too, and it’s not a flattering look in front of investors.
So the first step will be for senior executives and key risk assurance leaders (compliance officer, risk officer, CISO, maybe the general counsel) to have a frank conversation with the board: “Some committee here has to be responsible for cyber security; and that committee will then need to review and approve our cybersecurity plan.”
It is quite possible that your board of directors does not have members with sufficient cybersecurity experience. In that case, another conversation about recruiting that person (or persons) needs to take place.
The next conversation should address the company’s tolerance for cybersecurity risk and the roles and responsibilities of executives tasked with managing cybersecurity on a daily basis. These are the other two points above.
To some extent, this second conversation will be similar to other conversations about anti-corruption risk or compliance risk in general. How much tolerance for this risk is the board willing to accept? How will management develop a program to keep that risk within those tolerance levels?
These are good conversations to have, but remember the overall goal here: getting the board to make sure internal executives are managing risk appropriately. The SEC has done this before with, say, financial reporting risks; The Justice Department has done it before with anti-corruption risk, through its many guides on effective compliance programs.
Now the SEC wants to do the same for cybersecurity risk. Boards of directors, CEOs, and leaders of second-line functions, including IT security, legal, and compliance, will need to develop an action plan.
Second, Materiality Questions
Companies will also have a more pragmatic challenge. One SEC proposal is to require disclosure of “material cybersecurity incidents” within four days of a decision that a breach was indeed material.
Well, what process will your company use to decide that? More precisely, what objective, reliable, repeatable What process will the company use to decide materiality, when cybersecurity events can come in so many forms?
The SEC doesn’t provide much detail on how to answer those questions. Under federal securities law, a material fact is anything that, when disclosed, “would be considered by a reasonable investor to have materially altered the ‘total mix’ of available information,” but applying that standard to many cybersecurity incidents will not be easy.
That analysis will require a combination of forensic capability, where you collect information on exactly what was breached; moreover, an objective legal analysis of whether those facts pass the materiality test; sprinkled with a dash of ethical values: “Is this something we should disclose to investors, even if they take a beating in the markets?”
If you don’t develop a rigorous process for this evaluation—that is, if the company relies on the whims of management and best guesses from quarter to quarter—the potential for poor decisions is greatly increased. The smartest thing will be to define policies and processes for a structured assessment of materiality.
Maybe you can rely on cyber security frameworks to guide you as you develop those things; perhaps you can develop them internally with careful discussion and deliberation. But the ideal result will be a formal process that IT security, legal, risk and compliance teams understand and follow.
Then, if everything falls into place, you have a board properly committed to cybersecurity risk oversight and a defensible process for informing investors when you experience a cybersecurity incident.
Whatever the final form of the SEC’s proposed rules, those two outcomes will be worth having.
For more information on the cybersecurity threat landscape and how to stay compliant, see the “Ransomware Attacks in 2022: Compliance Lessons Learnedwebinar.