The Securities and Exchange Commission recently released new policies for Cybersecurity disclosure. My RSS feeds went ablaze with different hypotheses on how this will play out, and there is a lot of fear about how regulations could impact the industry. I have spent much time reading through SEC disclosures in the past, and I am not concerned about this regulation.
You Should Read the Regulation Yourself
If you work in cybersecurity at a listed company, you should read the regulation. It is 186 pages, but the parts of matter are much shorter. Reading and annotating the policy took me an hour and a half. It is full of discussions on why the SEC acted the way it did and can provide much context lost in the broader debate.
There are six proposed changes in the policy:
- Reporting of Cybersecurity Incidents on Current Reports (8-K)
- Disclosure of Cybersecurity Incidents in Periodic Reports
- Disclosure of a Registrant's Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
- Disclosure Regarding the Board of Directors' Cybersecurity Expertise
- Periodic Disclosure by Foreign Private Issuers
- Structured Data Requirements
I will briefly describe the changes behind each and my hypothesis of the reasoning for these changes.
Reporting of Cybersecurity Incidents on Current Reports (Form 8-K)
Listed companies will be required to report cybersecurity incidents on Form 8-K. They must notify investors through a standardized format four business days after an incident has been determined to be material. The Attorney General's office can delay disclosure further if it deems it necessary. The report must "describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations." They must also inform investors at a high level about how materiality is determined.
This change will impact large-cap (Fortune 500) companies more than the other changes. Many companies in the Fortune 500 already have mandatory disclosure requirements, and some do not. However, unlike this new regulation, these reports are kept from investors as the intended audience.
The most critical line in this regulation is:
The purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.
I suspect much concern comes from how security professionals typically think about disclosures. These disclosure reports will be very different and focus on "material impact." I expect investor relations, rather than security teams, will write them. They will likely focus primarily on financial impact or risk to reputation rather than technical details of how the attacks occurred.
Security teams must involve Public Relations (PR), Legal, and Investor Relations (IR) more in the escalation process. I suspect the stakeholders will agree on a set of criteria by which "materiality" should be investigated, and materiality will ultimately be agreed upon on a case-by-case basis with all stakeholders involved. I am not particularly concerned about there being constant disclosures of attacks. Materiality is a high bar, and many attacks may not constitute materiality. I suspect security teams will have several weeks before the four-day countdown triggers except for ransomware attacks (which may trigger materiality quickly).
Disclosure of Cybersecurity Incidents in Periodic Reports
Any items that cannot be disclosed in form 8-K due to being unknown at the time must be announced with an amended 8-K later.
This amendment is a relatively small piece of the regulation. The main business impact we will see is the need to continue evolving stakeholders outside the security team with repeat or long-term attacks. It likely means enterprises do not have to understand an attack when they submit their original 8-K fully. In line with the other 8-K guidance, I suspect it will focus mainly on the material impact of the incident rather than the attack itself. I see an amended 8-K being needed if the remediation cost far exceeds the original estimates.
Disclosure of a Registrant's Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
Organizations must disclose "the registrant's processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes." They should also address the following:
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant's overall risk management system or processes;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
The filings must also address how much of the cybersecurity capacity is internal versus external. However, quantification of risk is not required.
Listed companies must also publish a high-level summary of its risk governance structure. This requirement includes:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Board Member Expertise, Foreign Registrants, Structured Data, and Asset-Backed Issuers
This section either were proposals that were removed or other logistics to implement the policy. There was discussion about requiring board expertise on cybersecurity, but that is no longer a requirement.
The regulation clarifies that the SEC expects foreign but US-based securities to comply with the regulation. All data must be reported with XBRL tagging. Asset-backed issuers (i.e., ETFs) are exempt since there is no material risk to themselves of security exposure.
There is some apprehension about this section, as organizations must publish risk management policies. However, the commentary in the report shows that the SEC is working not to make this pose a threat to an organization's security posture.
Any organization that relies on the obscurity of high-level risk management as a central part of its security posture is at extreme risk, regardless of SEC disclosure laws. It will be very high-level, mainly focusing on risk management frameworks used, potentially discussing how often security is reviewed. Ultimately, this will be down to cybersecurity, legal, and IR. There is a wide range where investors and the SEC can be happy while posing minimal risk to any half-decent organization's security posture.