New SEC Cybersecurity Rules Focus on Board Accountability

Gone are the days when cybersecurity was just an information technology (IT) problem. Cyber risk is central to business risk, making it a board-level issue. For the first time, a proposed rule set from the US Securities and Exchange Commission (SEC) will require virtually all commission registrants to provide a series of cybersecurity disclosures within mandated annual and quarterly reporting. This decision is a nod to the importance of cybersecurity standards and what investors need to know to make an informed decision.

There have been several cybersecurity-centered proposals for registered investment advisors and funds of late, including the Cybersecurity Disclosure Act of 2017, the Strengthening of America Cybersecurity Act in March 2022, and the Better Cybercrime Metrics Act that just passed last month. This proposed rule drives standardization around reporting and what constitutes an incident or a breach as essential to safeguarding business against attackers.

Specifically, the SEC’s proposed rules will:

1. Require current reporting about material cybersecurity incidents within four business days.
2. Require periodic disclosures (Form 10-K) regarding, among other things,
3. a registrant’s governance, policies, and procedures to identify and manage cybersecurity risk;
4. management’s role in implementing policies and procedures;
5. the board of director’s cybersecurity expertise, if any, and its oversight of cyber risk; and
6. updates about previously reported material cybersecurity incidents (Form 10-Q).

Note the importance the rule set places on board directors. By mandating cybersecurity information disclosure via the 10-K, there’s a big focus on oversight and “management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.”

The SEC is finally driving standards to help establish the critical role of corporate governance in security across all sectors. With the proposal focusing on themes of cyber risk, governance structure, and metrics and analytics to fuel oversight, here are some questions you should be asking now to ensure readiness for the forthcoming rule:

On Cyber-Risk

• Which directors are responsible for the oversight of cyber risks?
• How is the board informed about cyber risks?
• How frequently does the board discuss cyber risks?
• How does the board consider cyber risks within the context of the company’s business strategy?

On Governance Structure

• Which management positions or committees are responsible for managing the company’s cyber risk and what are the qualifications of those responsible?
• Does the company have a chief information security officer (or someone in a similar position) and who does that individual report to?

On Metrics and Analytics

• How do the responsible managers and committees monitor and remain informed about cyber incidents and threats?
• How frequently do responsible individuals report to the board on cyber risks?

Will the rule set come to pass? Yes, in this writer’s humble opinion. I recommend we treat the proposed role as a coming mandatory regulation and start preparing now. Cybersecurity should be looked at as an enabler of any company’s growth and digital transformation strategy, with cyber resilience critical to a company’s future success. While the details of the final rule may vary slightly, the principles of risk management, governance, resilience, and attention to third party risk are and will remain best practice areas for cybersecurity programs.

In addition, penalties for violations will likely be steep. Recent SEC examples of penalties for smaller scale control failures are numerous and total well over $1 million in fines. Additionally, as the proposed rules are tied to annual investor reports, failure to adhere to them will also impact an organization’s brand and reputation and can skew investment and credit ratings.

The bottom line is that cybersecurity must encompass an entire organization from the boardroom to the mailroom to be effective against the increasingly sophisticated threats we’re seeing today and will continue to see in the future. The SEC’s proposed rules are an important step in securing corporate registrants’ success.

James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv. For more information on this topic, watch Optiv’s on-demand webinar on SEC rule readiness.