HOW THE SEC'S PROPOSED SECURITY RULES COULD IMPACT BUSINESSES
By Portia Cole, Emergent Threat Researcher, Avertium
Note: This content was originally published in Cyber Defense Magazine
If the Security and Exchange Commission (SEC) has its way, it will soon do more than any other federal agency has done when it comes to putting cybersecurity disclosure requirements in place for public companies and covered entities and their boards of directors. The SEC proposed new regulations in March 2022 (the comment period was reopened a year later) and March 2023 that would, in part, require investors be informed “in a consistent, comparable, and decision-useful manner” about how cybersecurity risks are being managed.
The comment periods for both came to a close in May 2023. If adopted, new rules and requirements would be put in place regarding:
In the SEC’s view, the purpose of the amendments is to keep investors better informed about an organization’s risk management, strategy, and governance and ensure prompt notification in the event of significant cybersecurity incidents. The government also seeks to abandon its dated 2003 strategy, which established that federal regulation wouldn’t be a main approach to securing cyber space—clearly, it has changed its mind. Let’s dive into two notable regulations that deserve our attention.
Our assumption is that the regulation regarding prompt disclosure of breaches is in response to organizations such as T-Mobile and BlackBerry. In 2021, both T-Mobile and BlackBerry faced public scrutiny after they failed to promptly inform customers and the public of server and software vulnerabilities that affected millions of people. T-Mobile’s breach was significant because it exposed the data of more than 100 million customers—and troubling in terms of how investors learned of it. Vice.com broke news of the breach on August 15, 2021, but the company didn’t confirm the breach until August 16, 2021—24 hours after the breach made headlines.
At the time, there were no existing federal regulations dictating the timeframe within which a company had to report a data breach. As a result, on September 1, 2021, Congress began examining a House of Representatives bill that included requirements around how quickly companies need to report attacks (between 24 or 72 hours), what kind of compromises need to be reported to CISA, and whether a fine should be implemented if there is non-compliance.
Although Congress was unable to reach a consensus at that time, in March 2022 the Cyber Incident Reporting for Critical Infrastructure Act established two cyber incident reporting requirements for covered entities within 16 designated critical infrastructure sectors, and the SEC is now inching closer to finalizing similar disclosure rules that would benefit stakeholders, customers, and investors.
Among what the SEC wants: Similar to public companies, covered entities will have to disclose past and present cyber incidents to the SEC within 48 hours of discovery. Covered entities would be required to immediately notify the SEC in writing of a significant cybersecurity incident when they have reasonable grounds to believe that one has occurred or is occurring. In addition, companies must submit detailed information about the incident and their response to it using the proposed Form SCIR, which must be filed promptly and updated if new material information is discovered or upon resolution of the incident.
It’s not enough for board members to simply be informed about a company’s existing security measures. Boards should play a crucial role in supporting cybersecurity risk management, and the proposed SEC regulations will help force that along
If the SEC has its way, public companies will be required to disclose if board members have cybersecurity expertise. The SEC will mandate that companies disclose how the board oversees cyber risks, as well as describe how management assesses and handles those risks. It gets even more detailed, requiring that companies disclose the ways in which the board is kept up to speed on cyber risks and how often the board discusses the topic. The regulation would require board members to increase their focus on cybersecurity and take responsibility for overseeing the organization’s response and recovery plans in the event of a cyberattack.
Board members are going to have to get much more serious about cybersecurity. Gone are the days when it was enough just to get an update on what the CISO has been working on. As the Harvard Business Review puts it, “Board members must take the position that cyber-attacks are likely, and exercise their oversight role to ensure that executives and managers have made proper and appropriate preparations to respond and recover.”
Should the new rules kick in, the only changes won’t be limited to the disclosures themselves. Companies may find they incur additional costs to comply with the new rules, including the costs of gathering and analyzing the required data. There is also the potential for increased reputational risks. With greater exposure, comes greater scrutiny. Companies that fail to adequately address their cybersecurity risks may face reputational damage and potential backlash from investors, customers, and other stakeholders.
The intent of these proposed rules is to protect the greater public by promoting transparency and holding companies accountable. But as with many regulations, there are limitations. There remains a degree of ambiguity around what covered entities are obligated to disclose and how they should disclose it. For example, different industries face different cyber risks and have unique risk profiles with different levels of confidentiality and security, making it difficult for stakeholders to compare the cybersecurity postures of different organizations across industries. Companies may also measure their risks differently, so for a stakeholder to know whether a particular company’s risk measurement strategy is comprehensive or accurate can be difficult to determine.
But what the SEC is looking to do is to build upon or revise what is already in place, and organizations would do well to build upon what they’re already doing in order to be ready—and in a stronger cyber position whether or not the proposed changes formally become requirements. That includes educating your board about what may be coming and reviewing the written policies and procedures you have in place for your incident response program.
After the publication of the above article, the SEC passed a final rule with a 3-to-2 vote on July 26, 2023. This rule mandates the disclosure of significant cybersecurity incidents, as well as the management, strategy, and governance of cybersecurity risks by public companies, including foreign private issuers. The final rule represents a significant change for all public companies. To sum up, the final rule necessitates the following:
These annual disclosures apply to foreign private issuers through Form 20-F, while material cybersecurity incident disclosure will be covered by Form 6-K. Accord to the SEC, the final rules will become effective 30 days following publication of the adopting release in the Federal Register.
The SEC’s rules might seem overwhelming, but Avertium is here to assist your business in meeting regulatory requirements. Avertium specializes in understanding the latest threats, vulnerabilities, and best practices in cybersecurity. Our experts are well-versed in Governance, Risk, and Compliance (GRC) frameworks and can ensure accurate guidance for your unique cybersecurity challenges.
We help identify threats, assess impact, and implement mitigation strategies. Avertium stays updated on changing regulations, guiding businesses through compliance complexities. We tailor solutions to individual operations, risks, and compliance needs.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.