The Security and Exchange Commission (SEC) continues to convey the importance of Cybersecurity for publicly traded companies by finalizing additional rules requiring disclosure of material cybersecurity incidents on Form 8-K and periodic disclosure of a registrant’s cybersecurity risk management, strategy, and governance in annual reports. The rationale, in my opinion, results in the strengthening, enhancement, and standardization of a registrant’s cybersecurity control measures and reduces the inaccuracies of financial statement reporting within its information systems.
SEC Rule Interpretation
What does this mean for Publicly Traded Companies? Before I interpret the final ruling, I would like to emphasize the Commission’s dedication to effective cybersecurity risk and controls for publicly traded companies. In fact, since 2011, the Division of Corporation Finance issued interpretive guidance providing its views concerning operating companies’ disclosure obligations relating to cybersecurity. In 2018, the Commission also issued interpretive guidance to public companies in fulfilling their obligation to take all required actions to inform its investment community and investors about their significant cybersecurity risks and incidents timely. So, it should come as no surprise to companies as to the direction and intent of the commission regarding cybersecurity risk and controls management.
Now, the interpretation. In its periodic disclosures, publicly traded companies must:
- Report a material cybersecurity incident within four business days after determining that such an incident is material.
- Describe its processes for assessing, identifying, and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations, or financial condition.
- Disclose its cybersecurity governance practices, including the board’s oversight of cybersecurity risk and management’s process to manage, monitor, detect, mitigate, and remediate cybersecurity incidents.
- Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later.
- Assistance for the smaller reporting companies comes with an additional 180 days to comply with the final rule.
In my analysis of the final rule, it is well aligned with other incident reporting rules and improves a public company’s ability to mitigate its cybersecurity risks and prevent financial statement inaccuracies. Additionally, the rule evades a registrant’s requirement to restate its financial statements or, more importantly, a reduction in investor confidence levels.
The Pathway Forward
In my closing, companies shouldn’t see the Commission’s rules and requirements as an additional burden of cybersecurity risk management; however, they should see them as a means for improvement of their risk and control processes, increasing their investor confidence, and providing some level of competitive advantage. My recommendations for adhering to the rule requirements are:
- Cybersecurity leaders should ensure that their cybersecurity program is well-aligned with business objectives and strategies. Too often, I see cybersecurity programs and business strategies move in totally opposite directions, resulting in a lack of inclusion, oversight, and awareness of the latest security threats.
- Chief Information Security Officers and Chief Information Officers should have a say in boardroom discussions regarding cybersecurity and information risk management. The Commission expects the Board of Directors to be well-informed regarding cybersecurity matters. The most effective way of getting the information is direct and periodic communication with IT leaders.
- Build an effective governance and compliance program that aligns with not only the SEC requirements but other applicable regulations. When complying with federal mandates, an effective compliance program is key.
- Develop and implement effective cybersecurity control procedures based on industry standards (i.e., NIST Cybersecurity Framework or its 800-series, ISO cybersecurity and risk management standards, etc.). Risk assessment and management strategies should be defined, aligned, and disseminated across the organization, and more relevant, incident response policies and procedures should be implemented and current. These controls should be tested on frequent cycles, with gaps documented and corrective actions performed in a timely manner.
- Internal Audit and Cybersecurity Teams should be tightly integrated. This ensures that governance, risk, and compliance processes are implemented, controls are tested, and remediation is performed timely.
James Sayles, BS, MBA, DDiV
GRC-Fellow/Professional, Certified Information Security Officer, CISSP, CGEIT, CISM, CRISC, CIA, CISA, CFE, CIPP-US/EU
Sr. Director, Advisory Services – CyberOne Security