The SEC’s Cybersecurity Rules Have Come Into Effect – How to Make it Easier to Comply

The SEC’s Cybersecurity Rules Have Come Into Effect – How to Make it Easier to Comply

The U.S. Securities and Exchange Commission (SEC)’s rules on reporting material cybersecurity incidents and disclosing information regarding their cybersecurity risk management, strategy and governance have come into effect.

From December 18th, 2023, publicly listed companies (other than smaller reporting companies) must begin complying with the incident disclosure requirements.  Smaller reporting companies have an additional 180 days and must begin complying from June 15th, 2024.

In addition, companies must provide material cybersecurity risk management, strategy and governance disclosures in their annual reports for financial years ending on or after December 15th, 2023.

The rules apply also to foreign private issuers – companies incorporated outside the US that do business in the US.

The SEC notes the rationale for the rules as:

  • Increasing cybersecurity risks alongside the ever-increasing share of economic activity that depends on electronic systems
  • The growth of remote work
  • The ability of criminals to monetize cybersecurity incidents
  • The use of digital payments
  • The increasing reliance on third party providers for information technology services, including cloud computing technology.

The Commission also observed that the cost to companies and their investors of cybersecurity incidents is rising at an increasing rate, and that all of these trends highlight investors’ need for improved disclosure.

The Rules

Cybersecurity incident reporting

Public companies must disclose the occurrence of a material cybersecurity incident within four business days after the company determines the incident to be material, i.e. that there is a substantial likelihood that a reasonable investor would consider the information important in making his or her investment or voting decision.

It is not necessary to for a company to disclose specific or technical information that could impede its incident response or remediation, or which could provide useful to threat actors for future attacks.

There is a provision for delayed reporting of incidents where it would pose a substantial risk to national security or public safety on a written notification from the Attorney General.

Cybersecurity risk management, strategy and governance disclosures

Companies are required to disclose their processes, if any, to identify, assess and manage material risks from cybersecurity threats, and whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company, and if so, how.

The governance requirement covers the board’s oversight and management’s role in assessing and managing material risks from cybersecurity threats, including, as applicable, whether and which management positions or committees are responsible for cybersecurity threats, and their relevant expertise.

Implications for publicly listed companies

As illustrated by the recent charges brought by the SEC against SolarWinds and its Chief Information Security Officer (CISO), accusing them of defrauding the company’s investors and customers, the SEC can be expected to take action where required to force compliance with the rules.

Publicly listed companies need to be preparing now for compliance with the rules.  Good sources of information on the regulatory changes required are provided by the SEC and the Wilson Sonsini paper, ‘SEC Adopts Cybersecurity Disclosure Rules for Public Companies’.

Acuity believes that companies should also look carefully at the effectiveness of their cybersecurity management systems and their third-party party cybersecurity risk management.

Cybersecurity Management System

Cybersecurity risk has some characteristics which add complexity compared to other operational risks, in particular the opacity of cyber threat actors, the multiple potential attack vectors and asset vulnerabilities, reliance on secure user behaviour and the fast-changing nature of technology.

In response to this, effective cybersecurity requires a set of integrated operational processes, collectively referred to as an information or cybersecurity management system, the key processes of which are:

  • Management reviews and reporting
  • Identifying and tracking threats to assets
  • Assessing cybersecurity threats and mitigations and determining whether risks are considered to be material
  • Implementing and testing cybersecurity controls with regular monitoring to confirm effectiveness and that they remain appropriate to the level of risk
  • Taking action to address weak or missing controls
  • Responding to, and managing incidents, including reporting, learning from incidents and continuous improvement
  • Developing, communicating, monitoring and updating cybersecurity policies and procedures appropriate to the company, its business sector and risk profile
  • Providing technical assurance, such as penetration testing
  • Managing change
  • Gathering evidence and auditing to demonstrate assurance.

An effective cybersecurity management system, addressing the above processes will be important for public companies in their compliance with the SEC rules:

  • Backwards looking – it is impossible to completely avoid cybersecurity risk but in the event of a material cybersecurity incident, companies with an effective cybersecurity management system are more likely to respond to the incident effectively and also have the confidence to communicate openly with regulators, investors and customers
  • Forwards looking – companies with an effective cybersecurity management system will more likely have identified and remediated potentially material threats and have the confidence to disclose ‘no’ as the answer to whether any risks from cybersecurity threats are reasonably likely to materially affect the company.

There are many cybersecurity frameworks that can guide the development and implementation of a cybersecurity management system, some of them industry specific.

Two widely-used industry agnostic frameworks are ISO 27001 and the NIST Cyber Security Framework (CSF).  ISO 27001 has an externally audited certification program which provides independent assurance to the board, investors, customers and regulators. In Acuity’s opinion, adoption of a suitable cybersecurity risk focused framework with independent external assurance will make it easier for listed companies to comply with the SEC rules. The Acuity whitepaper From checklist to management system: Getting value from the NIST CSF and ISO 27001 describes the similarities, differences and suitability of the two frameworks for supporting a risk-based security management system.

Third-party cybersecurity risk management

The SEC rules are clear that reporting of material cybersecurity incidents and disclosures of material cybersecurity risk management, strategy and governance extends to third parties on which companies depend.

Companies therefore need processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers.

recent Gartner survey found that despite increased investments in third party cybersecurity risk management (TPCRM) over the last two years, 45% of organizations experienced third party-related business interruptions. Gartner concluded that “TPCRM is often resource-intensive, overly process-oriented and has little to show for in terms of results”.

In Acuity’s experience, TPCRM is an area of significant weakness with many TPCRM processes based around on-boarding questionnaires looking in the wrong direction, at the existence of policies and controls. This data is ‘point-in-time’, often of dubious quality and virtually impossible to verify. Worst of all, it tells us nothing about the existence (or not) of material cybersecurity risks.

The Acuity whitepaper, Getting value from third party risk management,  describes how current approaches to TPCRM can leave companies ‘flying blind’ and oblivious to material and sometimes existential risks – and how they can overcome this by taking an automated risk-based approach.

Work will be required by many listed companies to pivot their TPCRM programs to the risk-based approach, thereby making it easier to comply with the SEC rules.

Recommendations

In addition to administrative preparations to report material cybersecurity breaches and disclose cybersecurity risk management, strategy and governance, public companies are recommended to:

  • Review and, where necessary, update their cybersecurity management systems to provide coverage of the full range of processes described above and needed for an effective risk-based approach to cybersecurity
  • Review and, where necessary, update their TPCRM processes to focus on identifying and remediating material cybersecurity risks within the supply chain.

The scope of these two activities will overlap and it will be worth companies deciding whether third-parties that pose potential material cybersecurity risks should be obliged to achieve and maintain externally audited certification to ISO 27001 or equivalent, independently audited assurance against other frameworks such as the NIST CSF.

About Acuity Risk Management

Acuity is a software and services provider for cybersecurity governance, risk management and compliance. Our award-winning STREAM Integrated Manager SaaS platform is used by organizations worldwide to efficiently achieve, maintain and demonstrate effective cybersecurity management systems, including certification to ISO 27001, compliance with a wide-range of other cybersecurity standards, such as NIST CSF and a risk-based approach to third-party cybersecurity risk management.

Please contact us for further information.