Get Ready for SEC’s Cybersecurity Risk Management Rules for Public CompaniesIT Risk & Cyber Risk | 4 Min Read |02 August 23|by Agnishwar Banerjee
As a cybersecurity or IT risk professional, it would have been impossible to miss all the buzz around the cybersecurity rules for public companies. On July 26, the U.S. Securities and Exchange Commission (SEC) adopted the new rules, which will require companies to transform their cyber risk management and incident reporting processes.
The new rules do not come as a surprise, given the escalating number of cybersecurity incidents and the elevated levels of cyber risks that organizations face today. In addition, it could be said that voluntary disclosures from companies have been below expectations, which impacted the visibility of customers and investors into the cyber risk postures of these companies. The “inadequate & inappropriate responses” in data and cyber breach incidents in recent years highlighted the lack of stringent regulatory mandates.
With the new rules, the SEC is standardizing the process of making disclosures about cybersecurity risk management procedures and practices by public companies, which will improve transparency and visibility for all stakeholders.
Gary Gensler, the current SEC Chair, explains, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
What are the New Cybersecurity Rules?
In short, the rules will require public companies to:
- Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion
- Describe processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so
- Describe the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks
- Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes
- Describe whether and how their described cybersecurity processes have been integrated into the overall risk management system or processes
- Tag disclosure under incident reporting and risk management, strategy, and governance using Inline XBRL
For risk management, strategy, and governance disclosure requirements, companies will be required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, while compliance with incident disclosure requirements will commence from the later of either 90 days after the date of publication of the final rules in the Federal Register or December 18, 2023. The rules also apply to smaller reporting companies and foreign private issuers (FPIs) but with extended compliance timelines.
How Can You Ensure Compliance?
The rules will require a robust and proven cyber risk management program, significant changes in board and management involvement, revised governance structures, effective management of third-party risks, and more.
A key takeaway is that while the rules do not directly apply to private companies, by virtue of being part of the third-party ecosystem of public companies, the rules may in effect extend to them. Implementing a cyber governance, risk, and compliance program without factoring in the extended enterprise cannot be deemed effective or complete in today’s interconnected business environment.
Here are a few measures for you to start preparing:
- Review and update incident response plans and playbook to factor in the disclosure requirements and timelines (specifically the 4-day deadline for material incidents) and how they affect the internal operations
Review and update cybersecurity and risk management programs, policies, and processes, including:
- Monitoring and testing of internal controls
- Managing and addressing threats and vulnerabilities
- Identifying and remediating issues
- Identifying and managing third-party risks
and whether it is integrated into the overall risk management system
- Establish a well-defined process for assessing the “materiality” of cybersecurity incidents
- Identify gaps and vulnerabilities in the organization’s approach to mitigate cybersecurity risks before they materialize into an actual cybersecurity event and implement appropriate processes to ensure this is an ongoing activity
- Evaluate the organization’s current cybersecurity reporting structure, including how cybersecurity incident information is relayed to management and the board
- Document the cybersecurity expertise of the members of the management team or committee/subcommittee members involved in the process, including third-party consultants, assessors, and others
Organizations can implement advanced and robust cyber GRC solutions, with capabilities for effective risk identification, assessment, and management, continuous control testing and monitoring, compliance management, incident reporting and response, graphical reports, and dashboards, to streamline their processes and achieve compliance with the new requirements.
A Greater Push Towards Cyber Resilience
There is a heightened regulatory focus on all things cyber today. The SEC rules are not the only cybersecurity and risk-related legislation that has been passed this year. Here are a few more:
- National Cybersecurity Strategy announced by the Biden administration
- Cybersecurity Maturity Model Certification (CMMC) Program by the U.S. Department of Defense
- Amendments to the Federal Acquisition Regulation (FAR)
Going forward, we expect to see more cyber resilience-focused regulatory initiatives not just in the U.S. but worldwide – and not just applicable to public companies but to organizations across all sectors and industries. Organizations, however, must not look at compliance as a checkbox exercise but as an enabler of business value and growth. Done right, organizations stand to benefit from the enhanced cybersecurity and compliance posture, streamlined processes, and improved efficiencies.
Request a personalized product demo to explore how MetricStream CyberGRC can streamline your cyber risk management program and revolutionize your compliance efforts.
Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series.