SEC Eyes Final Rules on Incident Disclosure, Board ExpertiseOne Rule Would Force Firms to Disclose 'Material Cybersecurity Incidents' in 4 Days
Stricter rules about private sector disclosure of cybersecurity incidents and cyber expertise on corporate boards are set for publication as early as April 3, 2023.
The U.S. Securities and Exchange Commission more than a year ago proposed rules designed to increase transparency, including a mandate that publicly traded companies disclose a "material cybersecurity incident" within four business days of discovery. Federal regulators also said investors should know whether board members are competent in handling cybersecurity issues.
Regulators say they'll disclose a final rule in April although it's unclear if publication will reveal significant changes from the proposed rules or when the SEC will begin enforcement.
The proposals, particularly for incident disclosure, generated substantial comment from stakeholders, with 174 responses submitted and 25 meetings held with SEC officials, the latest as recently as March 6. Trade groups and vendors from the cybersecurity industry generally support the proposed rules with the exception of Rapid7, which met twice with SEC officials to voice concerns.
"Public disclosure of an unmitigated or uncontained cyber incident will likely lead to attacker behaviors that cause additional harm to investors," the company wrote on Aug. 29. Other concerns focus on the quality of information obtainable within a four-day period. "My concern is that companies are just going to give bad information within a couple of days of an incident because they're trying to navigate way too many requirements that are overlapping," said Michael Borgia, a partner with Davis Wright Tremaine.
The public aspect of the reporting also provokes anxiety. Unlike disclosing an incident to the U.S. Cybersecurity and Information Security Agency - where details of the event can be analyzed to prevent other organizations from falling victim to the same attack - publicly revealing an incident does little for incident response, said Grant Schneider, senior director of cybersecurity services at Venable. He's waiting to see how much detail the SEC expects about ongoing incidents.
"For me as a security professional, there's not much security value to publicly disclosing incidents," said Schneider, who is an Information Security Media Group contributor.
Determining the Consequences of Cyberattacks Sooner
A disclosure requirement could ensure security incidents bubble up more quickly from practitioners to senior management and regulators, Borgia told ISMG. Public companies should integrate IT or security professionals into the financial controls process so they can interact directly with regulators, he urged.
Going forward, Borgia said, companies will probably need clearer policies for determining the materiality threshold as well as when incidents or other types of cyber risk need to go up the food chain. Companies often have a stale or formulaic process for internally sharing information about an incident. Borgia said the new SEC rules could force companies to think more critically about their processes.
"Incidents are very challenging situations, and making disclosures within four days would be very difficult when you've got complex developments and potentially a crisis situation for the organization," he said.
He predicted public companies will err on the side of disclosure since it isn't clear how much second-guessing the SEC might engage in if a business determines an incident is material weeks after it initially occurred. Public companies should document each day what they knew and why they made a decision regarding materiality to avoid getting asked why they didn't report earlier, Borgia added (see: US SEC Proposes 48-Hour Incident Reporting Requirement).
Public companies will likely formalize their procedures around risk management and think in a more programmatic manner to ensure all their policies are working together, he said. If the incident disclosure mandate is excessively punitive, Borgia worries that companies will dedicate resources in the days after a security incident to managing reporting requirements rather than helping remediate.
Making Cybersecurity Expertise a Board Issue
The governance disclosure proposal didn't outright mandate that organizations appoint a cyber expert to the board, but Borgia said many companies could react to the final rule by doing so. Once the new rules take effect, he said, public companies will want someone with relevant experience to review and sign off on the organization's cyber policies.
Organizations should think broadly in terms of what constitutes cyber experience and not necessarily tap individuals with experience reviewing audit or forensic logs, Borgia said. Past experience as a CIO might be sufficient, or companies might elevate an existing employee with relevant experience to the board. The SEC proposal tells companies to "fully describe the nature of" a member's security expertise.
Over the past half-decade, most firms have stepped up their game when it comes to cyber expertise on the board or in senior management. As recently as five years ago, the head of security was often several steps removed from the C-suite, but now they're often a part of it or just one step removed. The SEC could push outliers to get with the times, Borgia said.
The average public commercial company is less likely to have someone on their board with a cyber background than a company in the technology space, said Venable's Schneider. He said the governance rule should get the attention of senior leadership and prompt organizations to think more about what their cyber risk management strategy looks like without imposing significant cost on the business.