What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession
By Nick Sanna, Founder FAIR Institute
At yesterday’s open meeting of the SEC, many of us witnessed in live streaming the 3-2 vote by the SEC Commissioners to adopt the proposed rule on cyber security. This rule aims to elevate the cyber risk reporting and management practices for public companies (registrants) in the US, to help investors in such companies consider the probable impact of cyber risk as they make investment decisions.
What are the new requirements under the SEC rule on cybersecurity?
The SEC made a few changes from their initial proposal, following comments from the private sector. Under the new rules, registrants will be required to:
1. Report material cybersecurity incidents within four business days from the time that a breach is determined by the registrant to be “material”.The SEC softened its initial proposal requiring companies to disclose an incident within four days from learning of it, as it recognized that it might be difficult to assess materiality at the beginning of a breach investigation. In cases where the disclosure poses a substantial risk to national security, the US Attorney General can approve a disclosure delay.
The rule also made changes to the content of the disclosure. Companies are now required to disclose the material aspects of the nature, scope and timing of the incident, as well as the incident’s material impact. More detailed technical details of the incident are no longer required, as the disclosure could prove advantageous to the attackers.
2. Disclose in their periodic reporting when a series of previously undisclosed individual immaterial cyber incidents become material in the aggregate.
In the final version, the SEC clarified that the immaterial incidents must be related to each other to require reporting, such as attacks by the same threat actor, or the exploitation of the same vulnerability.
3. Describe in their periodic reporting their policies and procedures for the identification and management of cyber risks.
Registrants shall report whether they consider cyber risk as part of business strategy, financial planning and capital allocation and describe the ways in which their cyber risk management program helps identify the probable likelihood and impact of material cyber risks and incidents.
4. Describe their cyber risk governance processes in their periodic reporting.
Gone is the requirement for companies to identify board members with cybersecurity expertise. Instead, companies must describe the board’s process for overseeing cybersecurity risk and management’s role and competencies in assessing, managing and reporting those risks.
When will the new SEC rule on cyber come into effect
Most registrants will be required to file annual reports in compliance with the new rule beginning Dec 15, 2023, while certain smaller organizations will have to file reports beginning June 15, 2024. The new incident disclosure requirements will go into effect for material incidents occurring after December 18, 2023.
What does this mean for the cyber risk management profession?
The new SEC rule can have a profound impact on cyber risk management practices in the US and beyond, as it forces companies to look at cyber risk as a true strategic business risk and no longer as a mere technical issue. This is an evolution that we at the FAIR Institute have long advocated for and supported.
Now that we understand what the new SEC rule requires in terms of cyber reporting, let’s reflect on the possible implications for our profession and make a few predictions.
- Cyber risk is now formally elevated to the rank of strategic enterprise risk
The approval of the SEC rule is one of those watershed moments in the corporate world. Cyber risk can no longer be seen and treated as a mere technical issue, but will need to be treated as a strategic enterprise risk, even in companies that have been lagging in adopting best cyber risk management practices. This is also consistent with the best practices recommended by leading governance institutions such as the NACD and the World Economic Forum.
- The discussion about governance and accountability will mature
If cyber risk management should now be viewed as a means for a company to execute its strategy - digital or not -, the implication is that responsibility for it no longer rests solely on the shoulders of the person managing cybersecurity in the firm, but needs to involve all key business stakeholders, from the board, to the business leaders, finance, legal, and IT.
This means that key stakeholders, such as CISOs, General Counsels and Business Leaders must work together to understand the implications of cyber incidents on their operations, before disclosing them. GCs will no longer be able to claim ignorance on the repercussions of cyber risks and incidents.
Best practices as recommended by the NACD in its 2023 Cyber Risk Oversight Handbook, would have the CISO be the provider of security options for the business to consider, the business leaders to be the owners of risk, and the board to be the overseers of risk as they evaluate the adequacy of the cybersecurity budget and risk management processes and sign off on the company’s risk tolerance levels.
We wish that the SEC would have been more vocal in pointing to such sets of best practices but we anticipate that many organizations will see this as an opportunity to align themselves with those standards.
- Having a formal cyber risk management program will become a standard best practice
The new SEC rule will require companies to be more transparent and explicit about their cyber risk management practices, and force a re-examination whether their current practices are adequate in the eyes of their shareholders and their customers as well. Do they want to be seen at the forefront of secure-by-design initiatives and exemplary in their cyber risk management practices, or do they want to run the risk of being seen as laggards in terms of best practices and less equipped to withstand the impact of cyber threats?
“I characterize risk management as the policies, processes, technology and people that help an organization achieve and maintain an acceptable level of risk.” Jack Jones, FAIR Author
The new rule by itself will not eliminate the fact that certain companies may still see cyber risk management as a nice-to-have versus a must-have and will try to hide behind high-level and generic statements, but it will be harder to do so. Their internal and external counsels will certainly make sure that these discussions happen and that decisions are made.
- Cyber risk management programs will have to be effective in helping measure and manage material risk
Most companies do not have effective systems to identify, measure, prioritize, manage and report on cyber risk and are therefore not able to reliably communicate on their top cyber risks and understand when they become “material” in impact. Much of the current disclosures still rely on subjective estimates on both the nature and the impact of the risks.
The new, more stringent questions by the SEC examiners will force public companies to build processes that deliver the desired results, which are to provide continuous visibility into their top cyber risks, measured in terms of likelihood and impact.
“To the extent that you are going through the work of really trying to analyze the potential impact of cybersecurity risk for breaches or incidents, and working hard to really think in advance of where those might occur to try to lower the likelihood of them happening, and the impact that they would have if they do occur, and you are disclosing that to your investors, those are all the sorts of things that we are encouraging.” David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement at U.S. Securities and Exchange Commission, at the 2022 FAIR Conference
- Companies will get better at defining materiality
The threat of possible legal action and penalties by the SEC will prompt companies to think much harder about their definitions of materiality, what their shareholders would consider as a material incident, and what they need to do to avoid being accused of underplaying the significance of certain cyber incidents. Currently, most companies are not equipped with the right means to determine materiality, other than in vague, high-level qualitative terms.
Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information available,” the U.S. Supreme Court has ruled.
“Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors,” said Gary Gensler, the SEC’s chair, in yesterday’s meeting of the agency’s commissioners.
While the SEC recognizes that in some cases it will be hard to quantify the likelihood and financial impact of certain risks and incidents in some cases, it will nevertheless be expected to be the norm in most cases. Companies will be expected to have the ability to break down and quantify how losses materialize for their top cyber risks and incidents.
This will be a forcing function for companies to adopt trusted cyber risk quantification models such as FAIR and adopt tools that provide them with visibility into their top risks as key enablers for determining and communicating risk and incident “materiality”.
- Cyber risk assessment and management will increasingly become real-time
The need for companies to evaluate if certain cyber threats can evolve into material incidents, will get them to increasingly adopt real-time cyber risk monitoring solutions that can continuously measure the likelihood and impact of their top risks in financial terms. Solutions that can only provide qualitative, static point-in-time views of risk will no longer suffice.
Exciting times. Sometimes it takes the forcing function of a regulation to help mature key business practices and help turn what was an “art” into a “business science”. This feels like one of those moments for cyber risk management. And one when the greater transparency and accountability will greatly improve our cybersecurity posture as a nation.