The SEC’s message for companies on cybersecurity: “Do better” | NAVEX


[author: Matt Kelly, Radical Compliance]

Enterprise risk and compliance managers are already dealing with an influx of cybersecurity concerns, so you might have missed this latest news: The U.S. Securities and Exchange Commission has proposed new rules for a greater disclosure of cybersecurity issues.

For now, these proposed rules are just that: proposals. These are not final rules that take effect today, where public companies must immediately review their processes for documenting and disclosing cybersecurity events. But improved disclosure rules are coming soon. Compliance and risk managers would be wise to consider what the SEC is trying to achieve here, and the implications for your risk oversight functions.

We can divide the rules proposed by the SEC into two parts.

First, public companies should disclose their overall approach to cybersecurity risk management (in the annual report), including:

  • Policies and procedures used to identify and manage cybersecurity risks
  • Role of management in implementing cybersecurity policies and procedures
  • The board’s expertise in cybersecurity, if any, and its oversight of cybersecurity risk

Second, companies should also disclose “significant cybersecurity incidents” within four days of determining that a cybersecurity failure is indeed material, via a Form 8-K filing.

We don’t know what the final version of these proposed rules will be, and we won’t know for at least several months. Yet you can already see the overall goal the SEC is trying to achieve.

The SEC is trying to improve oversight of cybersecurity risks by encouraging companies to be more open to investors about how those risks are managed.

This will have big implications for how board, risk management, compliance, and IT security teams approach cybersecurity.

First, risk monitoring

We can start with the proposed annual disclosures on how the company manages cybersecurity risks. The key is the third point above: reporting on board oversight of cybersecurity.

The SEC and many other prominent voices in corporate governance have long stated that the board should be responsible for ensuring that cybersecurity risks are addressed. The SEC’s proposed rules highlight that demand — because if the board doesn’t take responsibility for cybersecurity, the company will also have to disclose it — and it’s not a flattering look in front of investors.

So the very first step will be for senior executives and key risk assurance leaders (Compliance Officer, Risk Officer, CISO, perhaps General Counsel) to have a frank conversation with the Board of Directors. Administration: “Some committees here should be responsible for cybersecurity; and this committee will then need to review and approve our cybersecurity plan.

Your board may not have members with sufficient cybersecurity expertise. In this case, another conversation must take place about the recruitment of such a person (or persons).

The next conversation should address the company’s tolerance for cybersecurity risk, as well as the roles and responsibilities of the executives responsible for managing cybersecurity on a day-to-day basis. These are the other two points above.

To some extent, this second conversation will be similar to other conversations about anti-corruption risk, or compliance risk in general. What level of tolerance for this risk is the board prepared to accept? How will management then develop a program to keep this risk within these tolerance levels?

These are good conversations to have, but remember the overall goal here: ensure that the board of directors ensures that internal management manages risks to the appropriate extent. The SEC has done this before with, say, financial reporting risks; the Department of Justice has already done this with anti-corruption risk, through its extensive advice on effective compliance programs.

Now the SEC wants to do the same for cybersecurity risk. Boards, CEOs, and heads of second-line functions, including IT security, legal, and compliance, will need to come up with a game plan.

Second, questions about materiality

Companies will also have a more pragmatic challenge. One SEC proposal is to require disclosure of “material cybersecurity incidents” within four days of determining that a breach was indeed material.

Well, what process will your business use to decide that? More specifically, what objective, reliable, reproducible process the business will use to decide materiality, when cybersecurity events can take so many forms?

The SEC does not offer many details on how to answer these questions. Under federal securities law, a material fact is anything that, when disclosed, “would be considered by a reasonable investor to have materially altered the ‘total mix’ of information made available” – but the Applying this standard to many cybersecurity incidents will not be easy.

This analysis will require a mixture of forensic capabilities, where you will gather information on exactly what was breached; plus, an objective legal analysis of whether these facts meet the materiality test; sprinkled with a hint of ethical values: “Is this something we should disclose to investors, even if we are going to take a beating in the markets?

If you don’t develop a rigorous process for this assessment – that is, if the company relies on management’s whims and best guesses from quarter to quarter – the potential for bad decisions increases enormously. . The wisest will be to define policies and processes for a structured assessment of materiality.

Maybe you can rely on cybersecurity frameworks to guide you in developing these things; perhaps you can develop them internally with careful discussion and deliberation. But the ideal outcome will be a formal process that compliance, risk, legal, and IT security teams understand and follow.

Then, if everything falls into place, you have a board properly engaged in cybersecurity risk oversight and a defensible process for notifying investors when you experience a cybersecurity incident.

Regardless of the final shape of the rules proposed by the SEC, both results are worth it.

To learn more about the cybersecurity threat landscape and how to maintain compliance, check out the “Ransomware Attacks in 2022: Compliance Lessons Learned” webinar.

See the original article on Risk & Compliance Matters


Comments are closed.