SEC heightens urgency on cybersecurity

New disclosure rules focus on transparency and governance

New disclosure rules issued in July by the SEC heightened the urgency around cybersecurity — which was already an area of intense focus — for organizations subject to regulation by the Commission.

Companies need to be prepared to comply with the SEC’s rules, which focus on providing transparency to investors. An organization that has weak cybersecurity controls may pose more risk to investors, and a company with a substantial breach may experience reputational harm and loss of value.

To compel organizations to provide that transparency, the SEC is requiring that registrants disclose:

• Their board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material cybersecurity risks on an annual basis.
• Their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previously likely cybersecurity incidents on an annual basis.
• Any cybersecurity incident they deem to be material — as well as its scope, nature and timing — within four business days after determining that the incident is material.

The annual disclosures will be due beginning with annual reports for fiscal years ending on or after Dec. 15, 2023. Incident disclosures will be required beginning Dec. 18, 2023, although smaller reporting companies will have an additional 180 days before their breach disclosure rules take effect.

The rules will apply to SEC registrants, including international companies that are listed on a U.S. stock exchange and are registered with the SEC.

As companies work to comply with the regulation, it’s useful to consider three main objectives — appropriate governance, yearly cybersecurity reporting, and incident reporting.

The role of the board

The SEC’s disclosures on governance should reinforce the importance of strong board oversight of this area. After considering public comments, the SEC decided not to require companies to disclose the extent of their boards’ experience and expertise in cybersecurity.

“But what remained is that the SEC is very clear: The board of directors has the ultimate oversight of cybersecurity risks through board committees or subcommittees that are directly responsible on a regular basis to be kept abreast of changes in the cybersecurity risk situation and help guide the board in its oversight,” said Grant Thornton Managing Director for Cybersecurity and Privacy Services Max Kovalsky.

The final rule does not require boards to have a member with specific expertise in cybersecurity risk management, but Kovalsky said boards need to be educated on these risks to appropriately exercise their duties related to cybersecurity.

One important immediate consideration for boards as a result of the new regulations is a re-examination of the role of the chief information security officer (CISO). The people for these positions have traditionally been hired for their technical expertise, and they often don’t report to the board or the CEO.

The regulations put the CISO in a more prominent reporting role that requires the ability to engage with boards on a regular basis.

“The question for boards to ask is, ‘How do you make the role of the CISO a true executive?” Kovalsky said.

Elevating the role of the CISO should be on any board’s short list in preparation for compliance with the SEC disclosure rules.

Disclosure of cybersecurity processes

To comply with the annual disclosures on cybersecurity risk management processes, registrants’ disclosures should include:

• Whether cybersecurity is part of their overall risk management program.
• Identification of any third parties that are helping to oversee and identify cybersecurity risks.
• Details about their risk appetite and tolerance.
• The material effects or likely material effects of risks from cybersecurity threats and previous incidents.

It’s critically important that these disclosures be accurate. Kovalsky expects that after any breach that is disclosed, the SEC will carefully parse through the yearly disclosures to see if they were actually in place.

Wording is crucial. If an organization guarantees that it will safeguard personal information and then experiences a breach of that information, regulatory consequences may follow on top of the difficulties associated with the breach.

“Registrants or organizations want to be very measured and careful about the way cyber risk management practices are described,” Kovalsky said.

Incident disclosure requirements

Registrants need to have processes in place so they are prepared to comply on a timely basis with the SEC’s incident disclosure requirements within the allotted four business days after determining a breach is material.

Organizations should have a written process in place for dealing with breaches, identifying how to contain the damage, for example by cutting off any access an attacker may have to systems; how to re-establish any interrupted operations; how to communicate with various stakeholders (including the SEC); and which personnel will be responsible for all these tasks.

The processes should be practiced in tabletop exercises that also should now include processes for materiality calculations and reporting to the SEC if an incident is deemed to be material.

Determining materiality may be one of the most difficult exercises in this process. In this case, the determination is different from the materiality considerations for accountants who are preparing financial statements.

“Some organizations may decide to use a quantitative approach. Others may decide to use a qualitative approach, or a combination of both,” Kovalsky said. “Based on past cases involving security breaches, materiality may also evolve over time from a financial, legal and compliance perspective. Management should ask whether a reasonable investor would perceive an incident to materially affect their investment decisions. That’s the key point that needs to be considered.”

What you need to know

Kovalsky also is encouraging organizations to take a hard look beyond the reporting requirements to what they mean for the organization’s value. The reporting requirements will bring cybersecurity incidents further out into the public eye, resulting in reputational damage that can negatively affect valuation.

Organizations surveyed in 2023 took an average of 204 days to identify a breach, according to IBM’s Cost of a Data Breach Report. That gives attackers a long time to cause damage.

“It is likely that the SEC would expect that information to become public — ‘An intruder has been in your house for more than six months,’ ” Kovalsky said. “It doesn’t look good to your investors.”

That’s why Kovalsky is urging organizations to double down on their detective cybersecurity controls. One of the best controls is the regular use of what is known as red versus blue team exercises, where ethical hackers use the latest attack techniques to attempt to gain access to the enterprise network. If the defenders do not detect these attacks or systems are penetrated, controls need to be upgraded immediately.

“That has been and remains the best way to test detection capabilities,” Kovalsky said. “You need to do it on a continuous, consistent basis.”

Instead of doing the bare minimum to satisfy the SEC’s disclosure requirements, organizations may see this as an opportunity to identify and address any gaps in their controls, protections and governance. This can help them preserve value as the SEC looks to keep investors informed on registrants’ cybersecurity practices and any breaches that occur.