GRC Tuesdays: Are You Ready for SEC’s (Proposed) Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies?

To parody a (sort of) wise man: “Guess who’s back, Back again”… and with a slight change in acronym “So the SEC won’t let me be, Or let me be me, so let me see” and so the story goes… Well, it’s true: the SEC is back!

In case you missed it, recognizing the importance of Cybersecurity as an emerging risk, the Securities and Exchange Commission released in March 2022 proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

SEC%20Proposed%20Rules%20on%20Cybersecurity%20Risk%20Management%2C%20Strategy%2C%20Governance%2C%20and%20Incident%20Disclosure%20by%20Public%20Companies

SEC Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

These proposed changes are laid-out in a detailed document, but, thankfully, the SEC has also provided a 2-pages summary fact sheet.

If that’s still too much, then, in a nutshell, under these proposed amendments companies would be required to periodically provide information on their policies and procedures to identify and manage cybersecurity risks but also on their Board and Management’s expertise in this area. In addition, companies would be required to report any new material cybersecurity incidents and provide updates on existing events.

To discuss in more detail what this would mean for organizations listed in the US, I have once again invited Brian Tremblay as a guest author. Brian leads the Compliance Practice at Onapsis where he is responsible for helping customers understand and navigate the challenges and opportunities created by the increasing overlap of compliance, cybersecurity and business continuity related to IT General Controls and regulatory & compliance. Prior to his role at Onapsis, Brian has held various audit roles, including Chief Audit Executive.

Thomas (SAP):

I don’t think we need to go back to the original Securities Exchange Act of 1934 but, put simply, what would you say are the major changes under these proposed rules that companies will have to pay extra attention to?

Brian (Onapsis):

So it’s an interesting question – because this isn’t the first commentary by the SEC on Cybersecurity.  Way back in 2011 they published CF Disclosure Guidance: Topic No.2 (you can read it here). Then in 2018 the SEC Adopted Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures (you can read it here). So while these may, at best, have gone largely unaddressed (and at worst ignored or missed), filers should not be surprised at these proposed rules and on the surface, if you have been following what the SEC had previously published, this really isn’t that significantly different. The big difference in my mind is that there is talk that it could be put into place for the 2023 audit cycle and that would be a pretty quick turn for those unprepared.

Thomas (SAP):

Do you have any practical tips for companies to help them start preparing if/when these changes are enforced, and the disclosure legislation updated accordingly?

Brian (Onapsis):

I really doubt we are talking about an ‘if’ here, Thomas.  I think the larger question is when, and I think the likely answer to that is as early as next year’s filings.  I think I would advise a few things for organizations.

  1. Read it. Seriously.  Read it. I recently presented at a local IIA event on this topic. Before I started, I asked a logical question: how many in the audience (~70 online & in-person) had read anything about this proposal? The answer, well, was not encouraging.  I could count the number of real life, and virtual, hands that were raised on one of my hands.  That’s a bit unnerving given the likelihood this actually happens.  Speaking of which…..
  2. I really feel strongly that organizations should expect this to happen, and if you asked me, while there were certainly valid points of contention raised, they were generally supportive. More on that below.
  3. Start conversations with your organization on this. If a majority of my old internal audit colleagues were largely unaware, many other impacted organization with your company are also likely to largely be unaware. In fact, if you are reading this, I’d advise that you should organize a meeting with some of the key leadership stakeholders. Those may include, but certainly are not limited to: Finance, Security, IT and other relevant 2nd line functions such as legal, risk, etc.
  4. Prepare for a kick-off with these stakeholders. Bring a summary in, share the proposal, read the public comments, etc. If you come in with no starting point, you are likely to not get started.  If you come with at least a direction, you can begin to strategize how your organization will prepare. Key takeaways from an initial meeting should be a) definition of ownership (more on that below) of this initiative b) creation of a steering committee to oversee this and; c) assignment of the responsibilities of each member of the committee.
  5. One final thought – expect change. Both in the proposal and also the team members supporting over time. Be flexible to allow these changes to happen as needed.

Thomas (SAP):

From your experience, who within the company should be championing these preparations? Should be it IT, Compliance, Legal, Audit… Other?

Brian (Onapsis):

Yikes, this is a tricky one! Should it be Finance given this is part of the filing?  What about Legal? Or the CISO’s org (or CIO’s org)? Given that this a GRC blog I’m going to suggest that it should be someone in the 2nd line that ultimately is the owner. I hate to be generic, Thomas, but the reality is that 2nd line functions vary wildly at organizations.  Some are very consolidated and flat, others are very complex and matrixed. But at the end of the day, a few key tenants prevail that make me feel comfortable suggesting it’s the 2nd line.

First off, within the 2nd line there are functions like risk management, internal control, etc.  Cybersecurity may be the most significant business risk with the most complex controls that need to be addressed. My presumption (or shall I say hope) is that key pieces of what will be needed to show compliance with this are largely already existent.

Secondly, the 2nd line can act as an intermediary, or translator, between some of the more technical stakeholders that will be needed here. While I am sure there are exceptions to the rule, I’m not exactly sure that Finance or Legal should be writing a cyber disclosure in a vacuum, nor do I think the CISO/CIO should drive these disclosures. A second line function is perfect because they likely have an appreciation for both sides of this: the finesse required by Finance to write the disclosure coupled with the more technical information from the CISO/CIO which need to be harmonized to do this well.

Thomas (SAP):

And now, for the million-dollar question: even if these proposed changes would only apply to US-listed public companies, should other companies also start planning for a potential change in regulation in other geographies – or simply because this is a best practice approach to be adopted?

Brian (Onapsis):

I’ll keep this one brief. Regulators globally tend to follow suit. Look at Europe & ESG as an example of how something that was a more significant issue there first is now a massive one for US Listed companies as well. I would expect that even if you are not listed in the US, that other regulators, exchanges, etc. will follow suit over time.

Thomas (SAP):

Last question: I understand that you reviewed the public comments to the proposed rules. Could you share some of the highlights on what is being raised to the regulator?

Brian (Onapsis):

In addition to nine meetings held (of which nothing more than general, high level information of limited value is disclosed), there were over 100 public comments from quite a variety of sources.  Comments were made by three of the ‘Big 4,’ many ‘household’ name companies, educators/thought leaders, stakeholder interest groups, and more, including just normal people.

Directionally the comments were supportive. Many feel that this is a positive step forward, and that investors will benefit from more transparency, and consistency, from companies on this topic.  While this was the overwhelming broad sentiment, and thus why we believe that this will ultimately become a rule (though not exactly as currently written), there were certainly a few areas of consistent push-back as well.  While not meant to be exhaustive, here are the top three in my mind that either generated the most feedback or I think are most interesting:

Materiality: Ah yes, the M word. Always a challenging topic, especially when there is an expectation of an aggregation of other immaterial cyber incidents included as well.  I could write pages on just this, but rather than do that let me share some additional informal feedback from that same group that hadn’t read the rule yet. I asked them: ‘Would you, as an investor, want to know of ANY breach of systems at an organization, regardless of what was taken or done?’  Unanimously they raised their hands in support of ‘yes.’ When asked why, many stated that they viewed any weakness that allowed a breach at all as something that probably could have been worse.  Furthermore, they also indicated that this could be a very positive thing if the breached organization did not suffer an impact due to their swift actions.

Four-day disclosure window: The objections were many on this one, however, it was commonly cited that this may be a different notification window than other government entities require or that at the time of disclosing the breach, it may be ongoing or there may not be proper mitigations in place.  Just like a patch release triggers threat activity, presumably this disclosure may incite a similar result.  There was also no exemption if working with law enforcement which was repeatedly mentioned.

Policies and procedures to manage cyber risk: Several interesting concerns here.  Firstly, balancing the amount of information required to satisfy this.  If too much is disclosed relative to policies and procedures does it benefit threat actors more than investors and more critically, are investors educated enough on this topic to assess the sufficiency of this information?

Honourable mention: With other well established Cyber frameworks available, why not simply align to those vs. add in another requirement?  A simple, yet valuable insight from many.

Unsurprisingly, analysts and professional organizations across the globe are focusing their attention on Cybersecurity and proposing options on how to integrate this risk area within company’s internal control and risk management frameworks. But these proposed rules, emitted by the leading agency in charge of enforcing legislation against market manipulation would definitely signal an acceleration in regulatory requirements relating to Cybersecurity. Hence not something to ignore! I hope the insights in this blog will be helpful in understanding what will be required and what organizations can already start doing to be ready on time.

What about you, how confident are you that your company would be able to comply with these proposed regulations? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard