The National Association of Corporate Directors (NACD), SecurityScorecard and the Cyber Threat Alliance released a report that examines the U.S. Securities and Exchange Commission’s recently proposed rules and amendments on cybersecurity reporting requirements for public companies. The report concludes that the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds and advisors to combat cybersecurity threats and implement risk mitigation processes.
“Preparing effective disclosure of material cyber risks and incidents has long been a key principle of cyber risk oversight advocated by NACD,” said Friso van der Oord, SVP of content at NACD. “The SEC’s actions in the past year, paired with recently released rules, draw a line under the critical role of management and boards in protecting not just investors and customers, but also the sound functioning of American business.”
The report highlights the SEC’s increased commitment to cybersecurity, holding more companies accountable, not just for egregious cyber-related violations, but also for misleading public statements about cybersecurity risks and events.
The report cites several recent cases in which the SEC took action as organizations failed to file suspicious activity reports (SARS) and disclosures, or provided misleading statements related to a cyberattack. These cases underscore the importance of classifying, escalating and reporting actual or suspected incidents to senior company leaders who are responsible for public-facing statements and regulatory reporting obligations.
On Feb. 9, the SEC proposed new reporting and recordkeeping requirements for advisors and funds. Among the proposed rules include reporting significant cybersecurity incidents to the SEC within 48 hours, implementing written cybersecurity policies and procedures to minimize operational risks, and recordkeeping to include copies of documented annual reviews of cybersecurity policies and procedures in effect over the prior five years. Companies would also need approval from the board of directors on cybersecurity policies and procedures.
Market-makers and broker-dealers are excluded from these proposed rules but the SEC is considering broadening reporting obligations in the near future.
Proposed rules on cybersecurity reporting requirements for public companies
On March 9, the SEC issued its proposed rules for public companies that include disclosure of any material cybersecurity incidents within four days of discovery, reporting of prior immaterial cybersecurity incidents that become material, and disclosure of policies and procedures to identify and manage cybersecurity risks. The proposed rules also call for board oversight of a company’s cybersecurity risk and implementation of related policies.
While the proposed rules do not mandate the deployment of continuous monitoring solutions, the SEC’s discussion of required elements for both sets of proposed rules supports such solutions.
“Currently most organizations lack continuous visibility into vulnerabilities across their vendor ecosystem,” said Sachin Bansal, chief business and legal officer at SecurityScorecard. “Organizations need an automated, integrated and collaborative approach to gaining this visibility – it’s crucial to business continuity and to adhering to the new policies and procedures set forth by the SEC.”
Additionally, third-party risks remain a key area of focus for the SEC, particularly for third parties that have access to confidential information or that are critical to operations. The SEC is considering new measures that would require companies to identify service providers that could pose cybersecurity risks and hold organizations accountable for a service provider’s lack of cybersecurity measures. As a result, companies may be liable for data security incidents involving vendors and other third parties, which may impact disclosure obligations.
As evidenced by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, these issues are a federal priority. The SEC’s increasing cybersecurity scrutiny is supported by other federal interagency collaboration efforts as well, including the Cybersecurity and Infrastructure Security Agency (CISA), Financial Stability Oversight Council (FSOC) and public-private partnerships.
“Every organization faces cyber-related risk,” said Michael Daniel, president and CEO, Cyber Threat Alliance. “It’s important that publicly traded companies appropriately disclose that risk so that investors can make informed decisions; in turn, better informed decisions create the market incentive for increased security across the ecosystem.
“The Securities and Exchange Commission has clearly prioritized increasing the accuracy and volume of disclosures, and public companies (and those that want to become public) should pay attention.”