What are the SEC’s Proposed Rules on Cybersecurity Risk Management?

SEC proposed cybersecurity rules

The number of cybersecurity incidents continues to rise. This upsurge in frequency and complexity has also resulted in an increase in costs. According to IBM’s 2022 Cost of a Data Breach Report, the average total cost of a data breach is USD $4.35 million, 83% of organizations studied have had more than one data breach, and 60% of organizations’ breaches led to increases in prices passed on to customers.

Because of the increasing costs associated with data breaches and other cybersecurity incidents, in 2022 the Securities and Exchange Commission (SEC) proposed new rules with respect to a public company’s cybersecurity risk management strategy and profile. This article highlights the proposed rules and also references key points of feedback that have been submitted by external parties.

What are SEC Filings & Disclosures?

The Securities and Exchange Commission (SEC) requires public companies to submit regulatory documents/disclosures/filings on a regular basis to help provide clarity and establish transparency surrounding a public company’s financial position. The main purpose of this requirement is to provide investors with complete and accurate information to enable them to make informed and rational decisions pertaining to investment. In addition to investors, the disclosures are also critical to the work performed by analysts and regulators who provide oversight.

What is the Purpose of SEC Disclosures?

On July 28, 2021, Gary Gensler, Chair of the U.S. Securities and Exchange Commission said the following about the importance of public company disclosures:

“Public disclosure isn’t new. We’ve been requiring disclosure of important information from companies since the Great Depression. The basic bargain is this: investors get to decide what risks they wish to take. 

Companies that are raising money from the public have an obligation to share information with investors on a regular basis. Over the decades, there’s been debate about disclosure on things that, today, we consider pretty essential for shareholders. 

Today, investors increasingly want to understand the climate risks of the companies whose stock they own or might buy. Large and small investors, representing literally tens of trillions of dollars, are looking for this information to determine whether to invest, sell, or make a voting decision one way or another.”

 

New cybersecurity rules from the SEC

SEC Proposes Rules on Cybersecurity

On March 9, 2022, the SEC presented a proposal to enhance public company reporting and disclosure requirements by requiring the inclusion of information pertaining to cybersecurity incidents, cybersecurity risk management, strategy, and governance. In short, the SEC clearly understands the significance of the ever-increasing risks presented by the current cybersecurity risk landscape and how they can influence a public company’s financial position. As a result, the SEC believes investors, analysts, and regulators should be made aware in a timely and consistent manner of the cybersecurity incidents a public company is experiencing and how they are managing their overall cyber risk profile.

Specific reporting requirements that include how, when, and the method by which the information should be reported are included in the associated fact sheet. The requirements are summarized under two main categories, which have been included below without alteration for your convenience:

Incident Disclosure Proposed Amendments

The SEC proposed to:

  • Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.
  • Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.
  • Amend Form 6-K to add “cybersecurity incidents” as a reporting topic.

 

Enhanced disclosure standards

Risk Management, Strategy, & Governance Disclosure

In addition to incident reporting, the SEC proposed to require enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance. Specifically, the proposal would:

  • Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to:
    • Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation.
    • Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
  • Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.

What are the Implications of the SEC’s Proposed Rules on Cybersecurity?

As with any regulatory proposal, both positive and negative responses are expected. Prior to performing an analysis of the effects of the proposal on a given public company, it can be helpful to analyze feedback from other organizations to understand and identify relevant feedback and concerns. Feedback and comments are maintained and posted on the SEC’s website for further reference.

Board of Directors Cybersecurity Expertise

Upon reading several of the submissions, it’s apparent that the majority of organizations generally see the SEC’s proposal as a positive change and a step in the right direction. Specifically, the proposal continues to highlight the ever-increasing importance and criticality of the cyber risk management function within public companies. Requiring companies to describe their policies and procedures supporting their cyber risk management function should help investors, analysts, and regulators determine how a public company views the importance of its cyber risk management function. Requiring a description of a public company’s board of directors’ understanding and level of expertise as it pertains to cyber risk management is also an indicator of how effective a public company can be when it comes to managing and responding to cyber security incidents.

The University of Virginia Tech also highlighted the importance of maintaining a board of directors with sufficient knowledge and expertise surrounding cyber security risks. In their response to the SEC, the University of Virginia Tech included references to their own research and publications regarding the lack of cyber expertise on the majority of corporate boards. In their words, Virginia Tech’s findings underscore the importance of understanding the role of boards in cybersecurity oversight and believe the SEC’s proposal will improve the transparency of cybersecurity governance.

 

Concerns with new cybersecurity rules

Concerns with the SEC’s Proposed Rules on Cybersecurity

While many organizations recognize the SEC’s proposal as a step in the right direction, concerns were also expressed about the potential negative effects the proposal would have on public companies. Specifically, concerns were focused on mandates surrounding the disclosure of cybersecurity incidents.

While investors should have visibility into the cyber incidents a public company is facing or dealing with, many respondents felt as though the SEC’s requirement of disclosure about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident fails to consider the ramifications to the public company’s incident response process, ongoing investigations, or overall security posture.

Comments from the U.S. Chamber of Commerce and United States Senator Rob Portman present excellent cases as to why definitive timelines and mandates surrounding the disclosure of cyber incidents pose significant risks to the reporting public company. Senator Rob Portman noted:

“Forcing companies to disclose cyber incidents publicly and before they have a complete understanding of those incidents, mitigate the damage and vulnerabilities, and contain malicious actors presents significant security risks. Nefarious cyber actors—both criminal organizations and nation state actors—are adept at collecting intelligence on their victims and leveraging that information in their attacks and ransomware negotiations.”

The negative effects of improperly sharing or disclosing sensitive security incident information can negatively affect a reporting public company. The downside of sharing such information too soon may outweigh the perceived benefits of providing transparency to investors, analysts, and regulators.

 

How does this apply to SOC 2 TSCs

How Does the SEC’s Proposal Apply to the AICPA’s SOC 2 Trust Services Criteria?

As companies continue to digest the information included in the proposal and determine how they will comply, it may be beneficial to evaluate their current cyber risk management profile to determine if current policies and procedures support the proposed requirements. Adopting a recognized and established control framework or standard or using one to perform a gap analysis against existing policies and procedures may be helpful to ensure a public company’s current corporate governance model supports the SEC’s proposed enhancements.

The AICPA’s SOC 2 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), could be used as a measuring stick to evaluate the controls within an entity’s cyber risk management program and identify potential gaps. Specific Trust Services Criteria that support the SEC’s current recommendations include the following COSO Principles, which have been included below without alteration for your convenience:

  • CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  • CC1.4 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
  • CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.
  • CC7.4: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

Conclusion

The SEC’s proposal continues to highlight the ever-increasing risks associated with the current cybersecurity risk landscape. The SEC believes that investors should have greater insight and knowledge about the cyber risks companies face and how they are managing them. While the SEC’s proposal continues to place additional, and much-needed focus on a public company’s cyber readiness and management, it does raise concerns about placing the needs of investors above a public company’s security risks by potentially forcing companies to disclose incident information prior to the mitigation of vulnerabilities.

If you would like to learn more about the SEC’s proposal, SOC 2 Trust Services Criteria, or are interested in retaining one of the many audit services offered by Linford & Co, please feel free to contact us.