In the aftermath of COVID-19, a lot of things have changed, and a lot is still left uncertain. This statement rings especially true for companies that were thrown into the digital space because of the pandemic. Most of them were unprepared for the shift and it shows with the cybersecurity protocols that they have implemented. This is the very reason a recent SEC Cybersecurity Disclosure Proposal came into play.
You see, cybersecurity can mean different things for different organizations. However, generally, it is considered the practice of defending critical systems and sensitive information from digital attacks. It is designed to fight threats against networked systems and applications that might originate from inside or outside the organization.
A cybersecurity attack can result from identity theft, extortion attempts, loss of important data, and using personal information. In today’s digital world, a successful attack means more than just a few hours of delay in operation. Everyone relies on digital infrastructures such as power plants, hospitals, and financial service companies for everyday living. Securing these and other organizations is essential to keep society safe and functioning.
Over the last few years, cybersecurity threats increase in private and public and the government has continued its efforts to augment cybersecurity outside of government-controlled systems. In fact, according to IBM, an average breach can result in losses that amount to millions:
“In 2020, the average cost of a data breach was USD 3.86 million globally, and USD 8.64 million in the United States. These costs include the expenses of discovering and responding to the breach, the cost of downtime and lost revenue, and the long-term reputational damage to a business and its brand.”
To enhance and standardize disclosures between public companies, the SEC Cybersecurity Disclosure Proposal was recently updated by the U.S. Securities and Exchange Commission (SEC) last March 9, 2022 regarding cybersecurity risk management, strategy, governance, and incident disclosure.
“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting” explained SEC Chair Gary Gensler in the recent press release.
The SEC cited their concerns over companies maintaining safe information systems. They also highlighted the increased vulnerabilities and threats that surround the companies such as third-party services, remote work, digitalization, processing of virtual payments, and threats of malware and ransomware campaigns. The consequences of these kinds of threats can cost businesses and companies their assets.
SEC Cybersecurity Disclosure Proposal Requirements
As determined by the SEC Cybersecurity Disclosure Proposal, “more timely and consistent disclosures” are very beneficial for companies and they also proposed reporting requirements such as (1) risk management and strategy, (2) material cybersecurity incidents, (3) cybersecurity expertise among board members and (4) governance.
The following requirements are discussed in detail below:
Risk Management and Strategy
Risk management is the identification, analysis, and mitigation of uncertainty in investment decisions.
A proposed amendment to Regulation S-K would require a “consistent and informative” disclosure of cybersecurity risk management and strategy. Aside from requiring disclosure of the company’s own cyber risk management, the new will also include disclosure of how they choose third-party service providers to aid in mitigating cyber risk. The rule will also require disclosure of how the company looks out for its strategy and planning associated with the business model such as handling and collecting sensitive data and technology reliance.
The rule intends to provide investors with sufficient information to assess the risks that a company may encounter and how they can work to manage those risks and their potential impact. In relation, the rule required disclosure, as applicable, of whether:
- the company has a cybersecurity risk assessment and management program
- the company engages third parties in connection with the program;
- the company has policies and procedures in place to evaluate cyber risks associated with third-party service providers, and considers third-party providers’ risks in selecting and overseeing those providers;
- the company’s cybersecurity programs are informed by prior cybersecurity incidents;
- cybersecurity risk and incidents have affected or reasonably could affect the company;
- cybersecurity risks are considered as part of the company’s business strategy, planning, and capital allocation.
Material Cybersecurity Incidents
The SEC proposes to amend Form 8-K to require disclosure of “material” cybersecurity incidents within four business days. Simply put, organizations must report instances of cybersecurity attacks within a four-day period since identification.
With the amendments to the disclosure proposal, organizations are required to report the following information:
- The date of when the cybersecurity incident was discovered. This includes the current status of the threat.
- An overview of the incident including details of actions taken with the data that is compromised.
- An explanation of how the incident affected the operation.
- If and how the company resolved the incident.
The disclosure of directors’ cybersecurity expertise is another amendment to Regulation S-K. According to the revisions, organizations are now required to identify key decision-makers within the company that has relevant cybersecurity experience. Relevant experience includes but isn’t limited to prior employment duties, academic achievements, and other adjacent skills.
Lastly, the revisions require companies to disclose the manner in which the board and management are to take responsibility for cybersecurity threats and attacks. This includes:
- The scope of responsibility of the entire board, members of the board, and other key committees.
- How information about the attack would be disseminated to the board
- How the board intends to evaluate the risks involved in the attack in the context of the company’s overall cybersecurity strategy.
As mentioned earlier, the SEC released the proposal in March. The revised action plans will remain open for two months following the publication. The comment period for the revisions would end on May 9, 2022.
Confused about the SEC Cybersecurity Disclosure Proposal and other recent updates? We at SecureBrain can take you through their new requirements. Reach out to us today to learn more about what we can do for your operation!