SEC proposing new cybersecurity disclosures
MSPs will soon likely be called upon to help clients with another cybersecurity issue, but this one isn’t about patching or installing firewalls, it’s about explaining. The U.S. Securities and Exchange Commission (SEC) proposes overhauling requirements for cybersecurity disclosures by company boards.
Here is how the SEC describes the proposed changes:
“The SEC is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we propose amendments requiring current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.”
Cybersecurity experts generally applaud the expected moves by the SEC. “The SEC is essentially saying `cybersecurity matters, so let’s codify it,” explains David Williams, a cybersecurity expert in Baltimore, Md. And this matters more than ever with the rise in data breaches.
Rise in data breaches drives need for more transparency
In the third quarter of 2022, for example, the number of companies experiencing data breaches continued to outpace all other years. Last month, Info Security Magazine reported:
- A total of 108.9 million accounts were breached in the third quarter of 2022, a 70 percent increase compared to the previous quarter.
- The top five countries and regions most affected by data breaches in Q3 2022 were Russia, France, Indonesia, the U.S., and Spain. While Russia had the most breaches overall (22.3 million), France had the highest breach density, averaging 212 leaked accounts per 1000 people.
The fact that the United States is in the top five targeted countries for hackers only adds to the SEC’s urgency to implement new rules. Breaches are costly, and the SEC has an interest in protecting the entire ecosystem from breaches. More transparency and reporting would help with this goal, Williams advises.
“The thinking is that by codifying what companies should do already, they are adding an exclamation point,” he adds. The SEC rules are expected to be finalized in the spring of 2023, but companies must start preparing now.
MSPs play a vital role in helping clients prepare
“You don’t want to wait until the final rule language is released to begin preparing,” Williams warns. “Companies need to do these things now, ironing out any bugs and being prepared for them. And MSPs have a vital role to play in this process in helping boards craft the proper protocols and language.”
Some of the changes that companies will have to adopt when the SEC rules are finalized include
- Require current reporting about material cybersecurity incidents on Form 8-K.
“This rule will require reporting cybersecurity incidents within four days, not of the incident itself, but of the discovery. So, if the company discovers a breach occurred six months ago, you have four days from discovery. There will be some back and forth over what constitutes ‘material’,” says William.
Proper reporting can result in strong, attack-resistant systems
SEC Commission Hester Pierce told a Congressional hearing: “A properly designed reporting system could serve as the foundation for the Commission to assist industry in establishing strong, attack-resistant systems.” Pierce was explaining the rationale behind the 4-day reporting rule.
Other proposed rules include disclosing the following:
- A registrant’s policies and procedures to identify and manage cybersecurity risks.
- Management’s role in implementing cybersecurity policies and procedures.
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.
“What the SEC is really after is transparency,” Williams notes. “They want a company to publicly disclose its cybersecurity policies and protocols so that it’s available for anyone to see before entering business. The new SEC rules will also require enhanced and standardized disclosure of a company’s cyber risk management policy.
According to the SEC, the new rules would require companies to:
- Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation.
- Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
“These are all sound solutions, so you want to begin working on this now. Some companies are woefully sparse on their risk management strategy; many fly by the seat of their pants, and that won’t cut it anymore. The SEC will require codified, clear cyber risk strategies in place, and MSPs will likely have to help companies craft such policies,” Williams advises.
While failure to follow the new SEC policies won’t result in criminal charges, the SEC can impose fines.
“But they don’t want these rules to be punitive, they want it to be a benefit, that increased transparency and reporting helps everyone,” Williams concludes.
Photo: g0d4ather / Shutterstock