In last week’s “Cyber Governance and Risk: Getting Ahead of the Regulators” practice sharing session, the ACSC dove into draft Securities and Exchange Commission (SEC) cybersecurity rulemaking head first. A lively discussion and debate covered many open questions around the regulation’s impact. CISOs play a crucial role in navigating these regulations, but that role is fraught with challenges. We know. Our 65 security, risk and legal executives discuss and debate these topics in depth as part of our collaborative risk governance program.
While many organizations have already established extensive incident disclosure and governance policies, these rules not only formalize the need, but also reduce flexibility and add time pressure around public disclosure before an incident has been fully investigated.
This blog post touches on key questions that surfaced during the session, notably around the evolving landscape of disclosure requirements, materiality, and the importance of adopting a process-oriented approach to cybersecurity.
What regulation has been proposed?
The proposed Securities and Exchange Commission (SEC) cybersecurity rule, titled "Cybersecurity Risk Management Strategy, Governance, and Incidents," would require disclosure of material cybersecurity incidents on a Form 8-K within four business days of determining an event is material. It is poised to become a de facto federal cybersecurity regulation. This rule encompasses a broad range of topics, from cybersecurity risk management to disclosure requirements following an incident.
How far reaching is this?
The broad nature of the disclosure requirements means that any shareholder, in the event of a security incident, could potentially sue the organization for reasons such as insufficient security budget allocation or a lack of cybersecurity expertise on the board. This highlights the need for organizations to be cautious when disclosing information, as it could be used against them in future legal disputes. According to Chris Hart, Foley Hoag’s Privacy & Data Security Co-Chair, “The SEC’s proposed rule has wide-ranging implications, affecting not only a regulated entity’s security policies and procedures, but also their documentation practices, training, and disclosures. And ultimately, it may have profound effects on the individual liability of directors and managers when things go wrong.”
What must be disclosed?
The central questions that must be addressed - to the extent possible at the time of filing - include:
When was the incident discovered?
Is the incident ongoing?
Provide a brief description of the nature and scope of the incident.
Was any data stolen altered, accessed or used for any unauthorized purpose?
What was the effect of the incident on the organization’s operations
Has the organization remediated the incident?
How soon must we disclose?
The proposed rule requires public disclosure within four days of determining a cybersecurity incident is material. Note that for ransomware incidents, the proposed reporting window is 24 hours. This creates potential problems for companies, as they may be forced to disclose information while still in the midst of resolving an incident. Furthermore, the current proposal does not provide any exceptions for national security or law enforcement engagement, which may put companies at further risk.
Disclosure timeframe is further complicated as individual sovereign nations or supranational governments will establish their own reporting deadlines. In Europe, proposed legislation requires incident reporting within 24 hours, while in India, the timeframe is a mere six hours. These proposals have prompted some organizations to advocate for a global 72-hour reporting rule, which they believe strikes a balance between regulatory demands and operational realities.
What if multiple incidents are related?
The proposed rule requires companies to look back over their entire history of security incidents to determine if any incidents in aggregate become material. However, the rule does not provide clear guidance on what constitutes materiality, creating operational burdens for companies attempting to comply with this requirement.
Will board involvement be disclosed?
The rule mandates expanded governance disclosures, such as how companies identify and manage cybersecurity risks at the management level and handle third-party risk. Additionally, the rule requires companies to disclose their board's involvement in strategy and financial planning related to cybersecurity risk. This level of scrutiny goes beyond what the SEC typically requires and could expose companies to potential liability if they are found to have deficiencies.
What board cybersecurity expertise will now be required?
The proposed rule calls for companies to disclose the cybersecurity expertise of their board members. While there is no explicit requirement to have a board member with cybersecurity expertise, the lack of such expertise could invite shareholder activism or litigation.
What should we do differently?
Many organizations lack a process-oriented approach to cybersecurity, focusing instead on individual services, applications, or infrastructure. This can result in a fragmented security posture that is difficult to maintain and improve. To address this, organizations should adopt a more holistic approach to incident response and governance that includes design resiliency and organization-wide risk management.
Conclusion
The proposed SEC cybersecurity rule represents a substantial shift in the regulatory landscape for CISOs and companies alike. The forthcoming requirements around public disclosure obligations, aggregate incident reporting, and expanded governance disclosures, present significant challenges for companies as they attempt to navigate this new landscape. By proactively addressing these issues through a multi-discipline risk management council, companies can better position themselves for success in this evolving regulatory environment.
If you’d like to learn more about our collaborative risk governance program or sign up for our public Corporate Board Report on Cyber Governance & Risk management please complete this short form: https://forms.gle/37Rov6FhWmi8RJ1JA