From the "why has it taken this long" file, the U.S. Securities and Exchange Commission (SEC) sometime this year will require corporate boards to clean up their cybersecurity act and increase transparency by disclosing cybersecurity incidents with full details to the SEC and investors within four business days.
In addition to reporting there was an incident, publicly traded corporations must identify who on their board or which subcommittee is responsible for cybersecurity and their relevant expertise. Adding to the growing importance of the CISO role, required disclosures will also include how often and by which processes board members are informed of and discuss cyber risk.
The new notice of proposed rulemaking was published by the Office of Management and Budget's Office of Information and Regulatory Affairs as part of the SEC's rulemaking agenda. It will include finalizing two sets of cybersecurity rules proposed in 2022 that increase requirements for SEC-regulated public companies, broker-dealers, funds, investment advisors, self-regulatory organizations (SROs), and others.
The rules, when finalized, will go a bit deeper than simply just identifying who on the board is responsible and was informed of corporate cybersecurity procedures.
For instance, registered investment advisors (RIAs) and funds will need to adopt cybersecurity policies and procedures, conduct documented risk assessments, implement access controls, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents. Covered RIAs and funds will be required to report cybersecurity incidents within 36 hours.
According to Shawn Tuma, Co-Chair of the Data Privacy and Cybersecurity Practice at Spencer Fane, LLP:
"While this is an oversimplification of all of the requirements and nuances of the forthcoming SEC rules, the SEC's objectives are to require companies to provide meaningful and actionable information to shareholders to better understand companies' cyber risks and how companies are managing and responding to them. From a very high level, this can be broken down into two categories of what they are wanting to see companies disclose information about: proactive cyber risk governance and risk management, and reactive incident response and reporting."
The new rules indeed show the increasing importance of the CISO's role, particularly as it pertains to communication with the board.
According to Jordan Fischer, Cyber Attorney and Global Leader of the Privacy Practice Group at Octillo Law:
"The proposed SEC rules are really just another in a long trend of regulators increasingly focusing on cybersecurity across industries and businesses. With these new rules, the SEC is taking a step to elevate cyber to the board level, requiring boards to disclose any cybersecurity expertise on the board, as well as disclose the company's cybersecurity risk management and governance practices. Finally, the time period to disclose 'material' breaches will be a short four days. All of this combines to add heightened visibility, and oversight, into companies and their compliance practices. How this will impact publicly traded companies, and how the SEC will enforce these rules, will be key for all businesses to watch to influence their approach to cyber within their own operations."
Tuma agrees:
"On the proactive side, companies need to disclose their policies and procedures to identify and manage cyber risks, management's role in implementing such policies and procedures, and the Board of Directors' cybersecurity expertise and its oversight over cyber risk. This latter sentence can mean either who on the Board has cyber expertise, or, how great of a role the CISO has directly with the Board—that is, does the CISO finally have a seat at the parents' table?"
Tuma said the differentiator of the new rule is that it is not based upon a privacy breach but a "material cybersecurity incident" that might affect the business and its investors.
"On the reactive side, companies are required to disclose to their shareholders when there is a 'material cybersecurity incident,' which may or may not constitute an otherwise reportable event under the various privacy-based breach notification laws," Tuma said. "The point of this requirement is to let the investing public know about cyber events that will impact the company so that they can be informed and take them into consideration."
The SEC's latest rulemaking agenda, released by the Office of Management and Budget's Office of Information and Regulatory Affairs, shows a few items specifically targeting cybersecurity-related issues.