Rules implemented in 2023 by the US Securities and Exchange Commission (SEC) regarding risk management, strategy, governance, and incident disclosure have raised important considerations for security leaders of public companies ranging from grasping the rules themselves to managing yet another set of regulations in an increasingly evolving and diverse cybersecurity landscape.
The new SEC regulation is divided into three main components. The first component has received the most press attention — the obligation to report “material” cybersecurity incidents to the SEC within four business days of discovery.
It’s worth noting that the four-day timeframe for incident disclosure does not begin at the moment of discovery. The SEC recognizes that businesses will need some time to investigate and evaluate the incident.
However, the regulators will eventually expect that a public company will possess sufficient internal information to determine whether the incident caused significant risk to the entity and its shareholders. If the incident is deemed material, then the organization must report it (via Form 8-K) within four days of such determination.
The second and third components relate to annual disclosures of risk management strategies and governance practices. Public companies are now required to disclose in their annual reports ( Form 10-K):
The above disclosures must be prepared in sufficient detail to enable investors to understand the company’s risk profile and to facilitate informed investment decision-making.
Governance frameworks such as the SOGP (standards of good practice for information security), the NIST SP 800-53B, or the ISO/IEC 27002:2022, will become the bedrock for risk management and a sound security governance strategy.
Frameworks can serve as a foundation for identifying and mapping out various risks, documenting controls, procedures and security gaps, determining risk exposure and tolerance levels as well as painting an overall picture of the organization’s cybersecurity posture and resilience against material threats.
A comprehensive, well-documented risk management process is critical to determining the material impact of a breach, containing and mitigating it, and adhering to SEC reporting requirements (S-K Item 106).
Each identified risk must be assessed and monitored on attributes such as risk description, monetary impact, threat landscape, and control effectiveness so that appropriate mitigations can be scoped out based on the risk certainty and priority. In cases where organizations lack a streamlined risk management process, standardized tools such as the Information Risk Assessment Methodology 2 (IRAM2) will help immensely.
The SEC rules state that the materiality of a security incident does not depend on “where the relevant electronic systems reside or who owns them.” They also make it clear by stating that “we are not exempting registrants from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor are we providing a safe harbor for information disclosed about third-party systems.”
This means that organizations will need agreements in place beforehand so that when a third-party incident occurs, businesses receive the information they need to fulfill their own compliance obligations.
Organizations must have designated people and formal processes in place to determine the “material impact” of an incident and to communicate with relevant authorities by the stipulated deadlines.
Testing and preparedness of incident response plans will be crucial. Sometimes when groups are brought together from a diverse set (legal, IT, finance, third parties, etc.), but are not accustomed to working together, then this can cause unwarranted confusion during mitigation efforts.
In cybersecurity, it’s always wise to sort out the basics. Understand what constitutes a material breach. If you’re a public company, there should already be legal and business teams that are fully versed in the concept of materiality and have experience applying it in other contexts. Learn from them. Evaluate any existing oversight structures at the board and management level and determine whether any improvements are needed. For example, providing ample space for security discussion on the board agenda or appointing a dedicated cybersecurity committee.
