The Securities and Exchange Commission (SEC) has proposed an amendment to enhance and standardize the compliance mandates surrounding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The new rules will require publicly traded companies to be more open and forthcoming about cybersecurity events and puts a framework in place to asses incidents and report them in a timely and comprehensive manner to investors.
What do the SEC’s new amendments cover?
The new set of proposals aims to remove all reporting ambiguities while identifying priority areas for clear communication with investors.
Here are key highlights of the proposed new rules:
- Page 16/129 talks about the regulator (SEC) observing discrepancies in certain cybersecurity incidents that were reported to the media but were not disclosed to SEC. SEC has also observed that some publicly traded companies while disclosing cybersecurity risks in the relevant section of their annual reports were mixing information with unrelated disclosures leading to confusion or investors finding it hard to locate relevant information.
- Further SEC notes that “Registrants’ disclosures of both material cybersecurity incidents and cybersecurity risk management and governance have improved since the issuance of the 2011 Staff Guidance and the 2018 Interpretive Release. Yet, current reporting may contain insufficient detail and the staff has observed that such reporting is inconsistent, may not be timely, and can be difficult to locate. We believe that investors would benefit from enhanced disclosure about registrants’ cybersecurity incidents and cybersecurity risk management and governance practices, including if the registrant’s board of directors has expertise in cybersecurity matters, and we are proposing rule amendments to enhance disclosure in those areas.”
- SEC has noted with concern that many companies are underreporting or not reporting cybersecurity events at all. SEC therefore proposes to amend Form 8K (report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or SEC) to mandate listed companies to disclose information on a cybersecurity incident within four business days after the company determines that it has experienced a material cybersecurity incident. The disclosure must cover the following
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on operations; and
- Whether the company has remediated or is currently remediating the incident.
- Forms 10-Q and 10-K to be amended to require registrants to provide updated disclosure when a previously known individually immaterial cyber incident turns material in aggregate
- SEC proposes to amend Item 407 of regulation S-K for companies to disclose if their board of directors includes people with cybersecurity expertise
- Proposed Item 407(j)(1)(ii) includes the following non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning
- To determine if an incident is material or not SEC prescribes a through objective evaluation of the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors
- Incident examples cited by SEC
- An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the company’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant
- Item 1.05 of Form 8-K mandates disclosure even in a situation in which a state law delay provision would excuse notification. There is a possibility a company would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law. Towards this, the proposed amendments clearly differentiate local and state reporting and reporting to SEC
- Risk management and strategy: Item 106(b) of Regulation S-K proposes to require registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy. The proposed rules would require disclosure concerning a company’s selection and oversight of third-party entities as well.
- Proposed Item 106(c) would require disclosure of a company’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.
The new rules according to SEC will benefit both investors and companies by offering timely standardized disclosures.
The proposing release has been published on SEC.gov and in the Federal Register. The comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website.
To learn more about how to improve your compliance posture, download our compliance kits.
We have the right threat intelligence for your critical infrastructure. Try it right now: Threat Intelligence
We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.