Public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 might soon face additional new requirements. The Securities and Exchange Commission (SEC) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting.
The proposed regulations don’t quite put you under a microscope, but they let in more sunlight to equip investors with greater visibility. The SEC states, “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”
Rob Wilkinson, Lead Security Consultant, at Netrix Global LLC., said, “These changes could be the impetus for many organizations to finally elevate their cybersecurity capability. Organizations large and small can get breached, but the quality and transparency of their incident response should speak volumes to investors.”
While mandated exposure can be anxiety-provoking , the upside is that improving your cybersecurity program will improve your security posture, reduce the likelihood you’ll suffer an attack, and minimize the negative impacts if you do.
Cybersecurity threats pose an escalating risk to public companies, investors, and market participants. The SEC cites increasing cybersecurity risks due to:
Mr. Wilkinson notes, “Supply chain attacks in recent years have highlighted the importance of making sure your trusted vendors have incident response programs too. At Netrix, we help our customers build third-party risk management processes to quickly measure risk and advise application owners without unnecessarily disrupting procurement.”
Cybersecurity incidents are resulting in various increasing costs and adverse consequences for both companies and their investors. Additionally, SEC staff has observed incident reporting that is inconsistent and not timely, such as smaller companies providing less disclosure, and incidents being reported in the media, but not disclosed in a registrant’s filings.
Considering the importance of technology, investors are interested in cybersecurity risk management, and cybersecurity incidents can affect a company’s share price.
This all drives SEC to conclude that investors would benefit from more timely and consistent disclosure about material cybersecurity incidents, as well as greater availability and comparability of disclosure by public companies regarding their cybersecurity risk management practices.
The SEC’s proposed amendments require periodic disclosures about a registrant’s overall approach to cybersecurity, including:
The rules require registrants to file an Item 1.05 Form 8-K within four business days of a material cybersecurity incident. These four days begin on the date you determine the incident is material, rather than the date of discovery of the incident.
The rules stipulate the scope of the disclosure that’s required, including when the incident was discovered, its impact, and its outcome. Registrants must also provide updates on previously disclosed incidents.
The guidance helps companies determine when they may be required to disclose info about cybersecurity risks and incidents. However, some of the listed conditions include the modifier “material.” Including quotes from previous case law, the SEC proposal states, “Information is material if, ‘there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have ‘significantly altered the ‘total mix of information made available.’”
It seems to be increasingly difficult to gauge what is “reasonable,” but SEC has attempted to define “material,” including descriptions such as “materiality depends on the significance the reasonable investor would place on the information.”
Additionally, The Supreme Court recognized that doubts as to the critical nature of info will be commonplace. However, doubts should be resolved in favor of those the statute is designed to protect: investors. SEC advises, “Even if the probability of an adverse consequence is relatively low if the magnitude of the loss or liability is high, the incident may still be material.”
“These changes are part of a larger trend in increasing oversight as well as the specificity of cybersecurity requirements. For example, privileged access management, and multi-factor authentication. Some cybersecurity controls that were first implemented by large enterprises were, at one time, overkill for SMBs. But there’s growing recognition that SMBs require similar comprehensive security efforts since they face just as much risk – if not more. Attackers want easy targets,” said Mr. Wilkinson.
Other new regulations include the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the 2022 EU Cyber Resilience Act.
“The new proposal requires a level of business acumen from your senior management that extends beyond the technical . You’ll need a CISO with the credibility and communications skills to translate cybersecurity controls into business conversations,” said Mr. Wilkinson.
“Some organizations may have gaps in their C-level information security leadership, which will make compliance difficult. They’ll need to raise their expectations for IT security, elevating their approach beyond the technical to encompass strategic leadership. That’s where our long-standing Virtual CISO (vCISO) service fits in,” Mr. Wilkinson added. A Netrix vCISO helps organizations to build and run practical, effective information security programs that are aligned with the organization’s risk tolerance and business strategy. Reach out to explore how Netrix can partner with you to provide executive leadership, effective communications, and a thorough review of key metrics.