Change is Coming to the SEC’s Proposed Infosec Rules

The Security and Exchange Commission (SEC)’s proposed changes could have a substantive impact on how companies describe and project their cybersecurity readiness. This SEC Fact Sheet tells us that the proposed rules are to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.” Clearly, the SEC’s intent is to standardize information flowing from companies and ensure it is available to all investors, via public filing.

SEC Chair Gary Gensler said, “Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”

The meat and potatoes of the proposal will require:

• Cybersecurity incidents to be reported via Form 8-K
• Periodic disclosures regarding:
  • Policies and procedures to identify and manage cybersecurity risks
  • Management’s role in implementing cybersecurity policies and procedures
  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
  • Updates on previously reported incidents

For some, these requirements will be a light lift; for others, it will constitute a sea change. The board of directors’ composition will be reviewed and the more astute members will ensure that cybersecurity expertise is present, knowledgeable and has appropriate oversight review of any CSO/CISO efforts to manage the cybersecurity risk exposure of the company.

Similarly, the proposed need to report incidents within four days of when the “registrant determines it has experienced a material cybersecurity incident” will ensure that every company’s playbook is augmented to document how and why an incident is determined to be “material” or “immaterial” and defend that position. If responsibility and accountability are not currently well defined, they soon will be.

Perhaps the most impactful proposed change by the SEC is to require companies to “describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation.”

On this latter point, regarding the sharing of the description of one’s policies and procedures, Tim Williams, CISO at Docebo, Inc. observed, “Information security policy documents should be clear, communicative, and transparent. Organizations should be held accountable for how effectively they comply with their own published policies. Being on public display will help drive that accountability.”

Williams said he believed that transparency is a good thing, and added that the SEC’s recommendations could be improved with a “Regulatory requirement to benchmark an organization’s infosec program against recognized industry standards. The results of these benchmarks and audit reports should be shared within the annual reporting process.”

CISOs should absorb the proposed changes, discuss the changes internally and with the board of directors, identify the impact and changes required and, if appropriate, engage in the SEC process with public comment in support (or not) of the proposed changes.