New SEC Rules for Reporting Cybersecurity Incidents Are Coming
By Jay Pasteris, Blue Mantis CIO and CISO
The SEC is proposing new cybersecurity rules for public companies. Blue Mantis’ Chief Information Officer & Chief Information Security Officer, Jay Pasteris, looks at the pros and cons of these rules and offers advice on how your company can prepare.
In February 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance and standardize cybersecurity disclosure by public companies. Cybersecurity is one of the most pressing issues facing publicly traded companies today. Recent research from Morningstar showed a company’s stock price declines by almost 5% on average within 60 days of a cybersecurity incident—and often stays down for up to a year after—costing American investors and shareholders billions of dollars. So, the SEC’s proposed rules were in response to the increasingly frequent, sophisticated, and costly cybersecurity attacks that unnerve investors during an already unstable economic environment.
The SEC’s goal was to mandate how public companies assess, mitigate, and oversee their cybersecurity risks internally then disclose “material cybersecurity incidents” externally in a consistent and comprehensive way. After a short public comment period that ended in April 2022, most executives at public companies and the registered investment firms servicing them were preparing for these new SEC rules to go into effect during Spring 2023. Some executives at private firms were also preparing for how their operations might be affected in case the SEC’s new rules trickled down to them, too.
However, the SEC issued separate press releases on March 15, 2023 about not only reopening the public comment period for the cybersecurity rules proposed in 2022 but also proposing some new rules “to address cybersecurity risks to the U.S. securities markets.” While never mentioned by name, it’s very likely the new rules for securities are the result of the added scrutiny of the banking system due to the Silicon Valley Bank failure just days before.
The SEC won’t take public comments until after re-publishing the proposal to the Federal Register. However, this reopening of comments gives CISOs, CIOs, and other cybersecurity-focused business executives at publicly traded companies a chance to reexamine the SEC’s regulatory proposals.
The Pros and Cons of the New SEC Cybersecurity Risk Management Rules
Looking at the SEC’s cybersecurity risk management rules originally published in February 2022, public companies must disclose: zero trust is a business strategy, not just a technology play.
- The role and responsibilities of the board of directors in overseeing cybersecurity risk management
- The qualifications and experience of key personnel involved in cybersecurity risk management
- The framework or standards used to assess and manage cybersecurity risks
- The material cybersecurity risks identified by the company and how they are prioritized
- The material cybersecurity controls implemented by the company to prevent, detect, respond to, and recover from cyberattacks
- The frequency and results of cybersecurity testing and audits
- The material cyber incidents experienced by the company in the past three years, including their nature, impact, response, remediation, costs, and lessons learned
The proposed rules would also require public companies to report material cyber incidents within four business days after becoming aware of them. This would reduce the current reporting lag that can leave investors in the dark about significant cyber events affecting a company’s operations or financial condition.
Here is a list of the pros and cons for public companies required to enact the proposed SEC cybersecurity rules:
|
PROS |
CONS |
|
|
The SEC believes their proposed rules would benefit both investors and issuers. Investors would be able to make more informed investment decisions based on a better understanding of a company’s cybersecurity risk profile. Issuers would be able to communicate more effectively with investors about their cybersecurity efforts and achievements. Moreover, issuers would be encouraged to adopt best practices for cybersecurity risk management that could enhance their resilience against cyber threats.
Divided Opinions on the Proposed SEC Cybersecurity Risk Management Rules
In the United States, new government rules are not created unilaterally without the consent of the governed. The public comment period is crucial for CISOs, IT leaders, and cybersecurity professionals to provide the SEC with valuable new perspectives on how regulatory proposals adversely affect businesses.
During the first round of public comments for the SEC’s proposed cybersecurity rules back in 2022, a consortium of industry associations, including the Healthcare Information and Management Systems Society (HIMSS), the Consumer Technology Association (CTA), the American Property Casualty Insurance Association (APCIA), Professional Services Council (PSC), and 30 other groups argued the rules are too broad, vague, and inconsistent with other standards, and that they would impose significant costs and burdens on regulated entities. The HIMSS suggest alternative approaches to enhance cybersecurity disclosure and governance without harming innovation and competitiveness such as:
- Aligning the SEC’s definition of a “material cybersecurity incident” with existing government standards, such as those in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law less than a week prior to the SEC’s proposed rule change was announced or the National Institute of Standards and Technology (NIST) SP 800-61 Rev. 2 Computer Security Incident Handling Guide
- Adopting a risk-based approach to cybersecurity disclosure that considers the materiality, severity, and impact of incidents.
- Leveraging existing frameworks and best practices for cybersecurity governance, such as the respected NIST Cybersecurity Framework
The US Chamber of Commerce (CoC), the Nasdaq stock exchange, the American Bar Association (ABA), and other groups warned that the detailed public disclosure of a cybersecurity incident should accommodate a reasonable amount of time required by law enforcement for criminal investigations. Not only are there existing laws passed by all 50 states to authorize delayed disclosures to consumers of data breaches to avoid compromising an ongoing law enforcement investigation (and the Gramm-Leach-Bliley Act similarly authorizing delayed disclosure by financial institutions), but these groups also argued that detailed public reporting of cybersecurity incidents within just four days hands over valuable intelligence to cyber criminals for conducting future successful attacks.
The SEC’s proposed rules on public disclosures of cybersecurity incidents, according to a letter signed by eighteen state attorneys general, will also be burdensome to the companies in terms of systems and skills. Even large publicly traded companies with dozens of lawyers, business analysts, and other compliance professionals on staff will likely require outside consultants to recalibrate or outright build new cybersecurity incident reporting regimes. The state AGs noted that the SEC’s reporting requirements “would compel public companies to gather, create, and disclose a crushing amount of information. Such disclosures far exceed any information investors reasonably need. And in reality, they would empower [the SEC] to regulate disfavored industries into oblivion.”
How You Can Prepare for the New SEC Cybersecurity Risk Management Rules
Most CISOs and business executives will agree investors need access to reliable and relevant information about how public companies manage their cybersecurity risks and deal with cyber incidents. If you objectively looked at the pros and cons of the SEC’s proposed rules and have strong opinions either way, then I encourage you to engage in the debate once the public comment is opened in either late March or early April 2023.
Regardless of how the public comments pan out, the top three things a CISO can do to prepare for the new SEC cybersecurity risk management rules are:
- Assess your cybersecurity risk management approach – A good risk assessment will analyze any gaps in your current security posture and using the NIST Cybersecurity Framework will likely cover the same ground as the proposed SEC rules. In conjunction with a risk assessment, your organization should conduct extensive penetration tests and tabletop exercises to see exactly how your company would handle these threats.
- Work with general counsel and other senior executives – By assessing the potential impact of the SEC’s proposed rules with Legal, Finance, and other business groups, your organization will be better prepared to translate strategy and practices into an accurate, cohesive, and compelling narrative on the company’s cyber risk management practices.
- Focus on security visibility and reporting – Building systems to identify cybersecurity threats and forensically analyze breaches after the fact is crucial for companies to adhere to the SEC’s new rules. Most importantly, you’ll need to present that information in a way that is understandable and actionable for your internal and external stakeholders.
Cybersecurity is not only a technical issue but also a strategic one. Blue Mantis can help remove concerns public companies have about the new SEC cybersecurity risk management and reporting proposal. We offer support to build and manage sustainable cybersecurity programs for regulated companies created by one of our CxO as a Service experts and backed by our IT/security resources. Blue Mantis can also provide risk assessments, develop actionable IR playbooks, and run an advanced cybersecurity program customized for your business as a managed service.
Contact Blue Mantis for a cybersecurity assessment today.
