News & Media

The U.S. Securities and Exchange Commission (SEC) recently announced their intentions to finalize new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by companies. Public companies need to familiarize themselves with the proposed changes and make the necessary preparations to ensure compliance.

Concerns over cybersecurity incident reporting has sparked the new proposal

As cybersecurity incidents become increasingly impactful and frequent, investors and other stakeholders are expressing growing concern regarding incident prevention and reporting. Many incidents go underreported, and for those that are reported, reports are insufficiently timed.

Major cybersecurity incidents have economic implications, they also have serious effects on national security and the functioning of critical national infrastructure. Third party data breaches have been noted as a significant risk, with more than 82% of companies having experienced this type of incident in the past two years with an average cost of $7.5 million dollars.

At present, there are no disclosure requirements in Regulation S-K or Regulation S-X that refer explicitly to cybersecurity incidents or risks. For instance, Form 8-K, also known as the Current Report, is used to announce major events that shareholders should know about. However, the nature of disclosures and analysis of the impact of cybersecurity incidents varies widely.

The latest SEC proposal has been put together to improve reporting and provide investors with better detail on the organization’s overall approach to cybersecurity.

What does the new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure proposal include?

Firstly, under the proposed changes, impacted organizations will be required to disclose details about significant cybersecurity incidents to the SEC within four business days. An example of an incident eligible for reporting would be when unauthorized access has led to the compromise of the confidentiality, integrity, or availability of data, systems, or networks, or violated the organization’s security policies or procedures.

There will also be new burdens placed on directors with the reporting of whether the board is responsible for cyber risks required, in addition to how frequently it is informed about risks and how it assesses cybersecurity within regular board discussions.

Disclosure about if any member of the board of directors has cybersecurity expertise could also be required.

Changing the current cybersecurity ecosystem

While the proposal aims to better inform investors about an organization’s cybersecurity, the new rules could have operational and financial benefits for organizations.

Current cybersecurity practices are mostly focused on technical mitigation measures and fail to consider operational and financial factors. These are often significant, with a recent report commissioned by Titania finding that exploitable network misconfigurations cost organizations 9% of annual revenue.

The new proposal should encourage boards to start assessing their cybersecurity in terms of business value. Senior roles within IT departments, such as the CISO, would see both greater importance in contextualizing the impacts of incidents and scrutiny of work being done to minimize risks.

This shift to a more joined up approach between technical positions and boards can also been seen in the US National Institute of Standards and Technology’s (NIST) recent announcement of planned changes to its Cybersecurity Framework.

While the final draft is due this summer, NIST’s plans include adding a 'Govern' function in response to the growing use of the framework to structure discussions about cybersecurity risk between technologists and senior managers.

As for the changes proposed by SEC, these are expected to be finalized in spring 2023 and the call for comments is open until May.