This report provides insights for corporate directors and the C-Suite including CISOs on the new SEC rules on cybersecurity.
For over a decade the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. On 26 July 2023 the SEC voted to implement new rules for all publicly traded corporations (read the full rule here and the fact sheet here).
The draft rules had been out for over a year, but the final rules have changed pretty significantly. This post reviews what you need to know and do now.
Background
In 2011 the SEC issued guidance meant to help companies understand they should take responsibility for reducing cyber risk. This was guidance vice formal regulation, but it helped raise awareness and underscore for corporations that they had responsibilities to shareholders to seek to mitigate cyber risk. In 2018 the SEC issued new guidance to expand on and strengthen their previous guidance. But still, there is a difference in guidance and regulation, and many companies either did not notice or perhaps felt that their protections mitigated risk well enough, and the guidance was not that impactful.
In March 2022 the SEC published a draft set of proposed new rules that would make aspects of cybersecurity reporting and governance mandatory. After extensive industry feedback the SEC held an open meeting on 26 July 2023 and voted on and approved final rules.
The New Rules
The new rules are far stronger than previous interpretive guidance. The stated objective for these rules is to strengthen investor ability to evaluate public company cybersecurity practices and incident reporting. The rules will ensure corporations provide consistent, comparable and useful information to shareholders in two major categories:
- Information on incidents that may have a material impact on shareholder opinions and
- Information on governance processes designed to mitigate cyber risks
In the first category, companies would have to disclose any materially relevant cyber incident. These would have to be disclosed within four days after the decision is made that they are materially relevant and will be disclosed on a Form 8K (the term materiality is used in the same way as it has been in previous SEC guidance on security: If an investor would consider it important to know, it is considered material). The final rules make it clear that determinations on materiality are expected to happen expeditiously.
In the second category, companies will have to disclose information on their strategies for risk management and governance. The SEC is looking for a lot more disclosure on these topics than they have in the past, including details for how the corporation assesses, identifies, and manages material risks from cybersecurity threats, as well as the material effects from threats. The role of boards in director oversight of risks from cybersecurity threats and managements role and expertise in assessing and managing material risks from threats must also be disclosed.
These rules will be effective quickly. Disclosures will begin with the Form 10-k and 20-f disclosures with annual reports for fiscal years ending on or after December 15, 2023 (smaller companies are being given some leeway here).
The rules make it clear that corporate board will have new responsibilities in cyber risk management. However, the rules differ from the drafts in that boards do not have to disclose whether there is cyber expertise on their board.
Recommendations
Boards should be talking with management now to make sure there is clarity on new reporting requirements for incidents and for cyber risk mitigation governance. A gap assessment should be conducted.
All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can rapidly evaluate board expertise relevant to the cybersecurity qualifications expected by the SEC and can recommend additional training for the full board or the board designated cyber expert.
Although not required by SEC guidance, many board have already decided to form cybersecurity committees so a few designated board members can work issues outside of board meetings. External advice can help the board evaluate whether this is the right approach for the mission and function of the board.
Concluding Context
Over the years the OODA Network has consistently attracted executives, experts and analysts all focused on making decisions in an environment when disruption, conflict and opportunity all simultaneously exist. Most who have joined the network have deep experience in the realities of operational cyber risk mitigation. For these leaders, meeting the needs of new SEC requirements for cybersecurity will almost come as second nature.
Corporate directors who seek to inform their decision-making around mitigation of systemic cyber risk can also apply to join the OODA Network.
OODA also helps clients in need of dedicated board cybersecurity services focused on helping Directors understand and manage the complexities of cyber risk. Our advisory team is comprised of only senior executives who have deep domain expertise combined with executive management functions such as serving on Boards of Directors or managing cyber risk as CEOs, CTOs, and CISOs. We help bridge the gap between Boards and their internal security management teams. Learn more at OODA Board Cyber Advisory Services
