The recent rise in ransomware attacks and other evolving threats has heightened attention on the management and disclosure of cyber risks and incidents by public companies. Changes are coming – in the form of an expected new notice of proposed rulemaking from the U.S. Securities and Exchange Committee (SEC), among other developments. What will these changes mean for your company? In this recap, we provide insights and context that will help you answer that question, and offer ways you can prepare now for the anticipated regulatory developments and new incident disclosure requirements.
WHAT’S IN PLACE TODAY
The SEC 2018 interpretive guidance on cybersecurity disclosure requirements makes it clear that public companies should have comprehensive cybersecurity policies and procedures in place with a focus on timely disclosure of material cyber risks and incidents. These measures should include:
- Protocols to determine materiality of cyber risks and incidents
- As part of materiality analysis, an appropriate method of discerning the probability
and impact of cyber risks and incidents - Alignment of probability and impact to the company’s business, financial condition,
and results of operations
WHAT’S COMING
Heightened SEC disclosure expectations. On January 24, SEC Chair Gary Gensler announced that he has asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures, including on cybersecurity governance, strategy, and risk management, as well as disclosures when cyber events have occurred. Gensler highlighted the need for disclosures to come in a “consistent, comparable, and decision-useful manner.” He also articulated a series of more specific steps related to SEC registrants like broker dealers and their service providers.
This follows Gensler’s announcement last fall that the Commission plans to release a notice of proposed rulemaking (NPRM) meant to provide investors with increased transparency into cyber risk amid a global surge in cyberattacks across business sectors. In terms of scope, Gensler noted that the forthcoming proposal “could address issues such as cyber hygiene and incident reporting.” The expected rule was also referenced in October 2021 remarks by Commissioner Elad Roisman.
New Incident Disclosure Considerations. While recent efforts to enact new Federal cyber incident reporting requirements as part of the National Defense Authorization Act were unsuccessful, sector-specific regulatory agencies are using existing authorities to introduce new incident reporting expectations.
- In November 2021, bank regulators published a final rule that requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event. This includes incidents that:
- Affect a material portion of the organization’s customer base
- Result in a material loss of revenue, profit, or franchise value, or
- Pose a threat to the financial stability of the United States
- Also last year, the Transportation Security Administration (TSA) issued Security Directives introducing new incident reporting requirements for pipeline operators as well as rail operators, airports, and air carriers.
Recent Enforcement Actions. Recent enforcement actions also indicate a renewed focus on whether cyber-related disclosures are accurate.
- Education company Pearson PLC paid $1 million in fines as a settlement based on charges brought by the SEC in relation to a 2018 cyber incident. The SEC alleged that the company misled the public and the company’s investors about the nature of the breach by downplaying the timing and extent of the information stolen by the threat actors.
AREAS OF FOCUS FOR PUBLIC COMPANIES
The CFO, C-suite, and board of directors maintain a role in overseeing the disclosure of cybersecurity risks and incidents that are material to a company’s business. Companies are encouraged to become more engaged in building expertise in the following cyber risk areas:
- Based on our business profile, what should we consider as reasonably foreseeable threat actor interest in our organization’s critical processes and data? How is this changing over time?
- How could these threat actors actually compromise our environment?
- Does our security approach (and that of our key suppliers) provide reasonable defensive coverage against this kind of threat tradecraft?
- Are the security countermeasures we have in place actually effective? How is performance measured and validated?
- Are we prepared if something goes wrong?
- How are cybersecurity expectations from customers and other stakeholders evolving over time?
- What resources (people, process, and technology) are required to address those risks? How do we weigh tradeoffs in alternative security investments we are considering?
- Can we measure cyber impacts and risk (including changes over time) in economic and business terms and report to senior management and the board in a timely fashion? What risks are we willing to accept, and for how long?
- Is management held accountable for cybersecurity and business continuity performance?
- Do we have comprehensive policies and procedures in place to (1) address cyber risk, (2) guard against insider trading on material nonpublic information about cyber risks and incidents, and (3) help ensure that the company makes timely and accurate disclosure of any related material information on cyber risks and incidents?
Understanding cyber risk in business, financial, and operational terms based on each organization’s unique risk profile is a key predicate step to inform materiality for disclosure and risk treatment. On an ongoing basis, boards should keep abreast of how management uses return-on-investment analysis to align cybersecurity resources to business-level risk reduction. So too, they should oversee the steps that are taken to practically implement the cybersecurity strategy.
For additional information on this topic, please read our blog or view our on-demand webinar
