Will SEC Cybersecurity Regulations Make a Difference?

On July 26, 2023, the United States Securities and Exchange Commission (SEC) promulgated new rules designed “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies…” The new rules mandate that regulated public companies make meaningful disclosures of certain cybersecurity events, including data breaches not just limited to those involving “personally identifiable information” and also disclose their cybersecurity risks to investors or potential investors. The rule supplements and supersedes previous cybersecurity guidance and makes such reporting mandatory.

While the new rules will undoubtedly get the attention of regulators, risk managers, CISOs and possibly board members, the real question is whether they will ultimately make publicly traded companies more secure or whether the disclosure requirements will simply result in wishy-washy pablum in SEC filings.

Status Report, Captain!

The SEC has long required regulated entities to appropriately disclose to investors and potential investors risks or issues that might be “material” to an investment decision. This might include things like the risk that Panamanian labor unions would strike, the risk of a coup d’etat in Brunei or the risk of a fire or earthquake that would impact a company’s ability to conduct business.

As companies become increasingly reliant on digital infrastructure, the nature of business risk is increasingly tied to cybersecurity risk, and the value of a company may be tied to its cybersecurity resileince. Investors evaluating a company, therefore, should be able to meaningfully assess that company’s cybersecurity standing—both with respect to overall operational risk and with respect to material cybersecurity incidents. That’s the purpose of the new requirements.

The new requirements amend several regulations including Regulation S-K §§229.10 through 229.1305 (Items 106 and 601 §§229.106 and 229.601), Regulation S-T §§232.10 through 232.903, Rule 405 §232.405, Securities Act of 1933 (“Securities Act”) Form S-3 §239.13, Securities Exchange Act of 1934 (“Exchange Act”) Rule 13a-11 §240.13a-1, Rule 15d-11 §240.15d-11, Form 20-F §249.220f, Form 6-K §249.306, Form 8-K §249.308, Form 10-K §249.310 and provide that, for example, registrants must describe their processes, if any, for the assessment, identification and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. They also must disclose the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. The new regulations also have incident reporting requirements that go beyond traditional data breach reporting in some respects. Regulated entities are now required to report both to the SEC and the investing public any cybersecurity incident they experience that is determined to be material, describe the material aspects of its nature, scope and timing; and impact or reasonably likely impact and whether they have remediated or are currently remediating the incident.

Put plainly, companies will have to disclose to investors (1) their cybersecurity risk, (2) how they are managing it (board and management) and (3) whether it is working (have they had any material incidents?).

But will this change anything? Short answer, no. The longer answer, maybe. Let’s look at each of these three.

Reporting Cybersecurity Risk

Let’s pick a company at random and look at their most recent 10-K report and see what they have to say about cybersecurity risk. Walmart’s most recent annual report notes that “We rely extensively on information and financial systems to process transactions, summarize results and manage our business. Disruptions in our systems could harm our ability to conduct our operations” and that “If the technology-based systems that give our customers the ability to shop with us online and enable us to deliver products and services do not function effectively, our operating results, as well as our ability to grow our omnichannel business globally, could be materially adversely affected” and further, that “Any failure to maintain the privacy or security of the information relating to our company, customers, members, associates, business partners and vendors, whether as a result of cyberattacks on our information systems or otherwise, could damage our reputation, result in litigation or other legal actions against us, result in fines, penalties, and liability, cause us to incur substantial additional costs, and materially adversely affect our business and operating results.”

Each of these statements is backed up with a paragraph or two generically describing the company’s risk with respect to cyberattacks—language like “Our compliance programs, information technology, and enterprise risk management efforts cannot eliminate all systemic risk. Disruptions in our systems caused by security incidents, breaches or cyberattacks—including attacks on those parties we do business with (such as strategic partners, suppliers, banks, or utility companies)—could harm our ability to conduct our operations, which may have a material effect on us, may result in losses that could have a material adverse effect on our financial position or results of operations, or may have a cascading effect that adversely impacts our partners, third-party service providers, customers, members, financial services firms, and other third parties that we interact with on a regular basis.”

In short, cybersecurity is risky, we try to manage it, but nobody’s prefect.

The statement generically describes the company’s dependence on cybersecurity infrastructures, third parties and cloud providers for operations, management, payment, etc., and the potential impact of attacks on sales, payment, operations and reputation. Nice. But not anything we really didn’t know before.

But what do we really want to know about risk, and do we really want to know it? To affect my investing decision, I want to know whether the company is doing a good job in identifying and managing risk. For example, “we are rolling out a new payment system which collects a ton of personal information about our customers, and while we did a pen test on the system (and it failed), we’re rolling it out anyway.” Or, “our CIO read a couple cool articles about an AI program and we’re now using it to run our distribution center. It seems awesome, but we have no clue how it works.” Or, “we hired an outside company to assess our security, and they found that overall we’re doing a good job, but the following systems are weak and could be exploited and overall we remain vulnerable to the following types of ransomware …”

The more detail we release, the more meaningful the disclosure (at least to cybersecurity folk, if not to investors). Even the traditional “stoplight” scoring—red, yellow, green—does not tell investors whether or not the company is a good investment. Moreover, disclosing details about a company’s cybersecurity status might actually make them the targets of future attacks. As a result, these disclosures are likely to remain either meaningless pablum, or detailed meaningless pablum. Take, for example, the statement “Our information systems are not fully redundant and our disaster recovery planning cannot account for all eventualities” in the Walmart filing. OK, so what does this mean? Are the company’s core functions redundant? Do they have an effective and tested DR/BC plan? How long after an attack can the company reasonably expect to recover? Is an attack likely to impact the company globally, regionally or nationally? Have they dedicated sufficient resources to planning and preparation for such an attack? What does the board think about this? What does management think about this? What does the CISO think? What are the minority/dissenting opinions? For example, if the CISO said, “We need a $100 million investment in FY 2024 to remain secure,” and the company allocated $25 million, should investors be advised that the company has only allocated one-fourth of what the head of cybersecurity said was adequate, or simply that the company invested $25 million? It’s just as much about what is not disclosed as what is.

Perhaps the most significant disclosure requirement revolves around disclosure of management and the board of directors’ role in managing cybersecurity risk. If cybersecurity has the appropriate attention of management, and management is knowledgeable about managing such risk and the board is informed and attentive, then things are more likely to get done. This will likely mean that companies that now have “security operations” will now elevate them to CISOs, that CISOs will now directly report to the CEO (not just the CIO or risk committees), and that boards of directors will have to demonstrate knowledge of cybersecurity risk mitigation. This means that someone who works for or with the board will have to act as “cybersecurity-whisperer” to the board, explaining what the CISO’s metrics mean and what questions to ask. It increases the profile for cybersecurity risk mitigation—and that can help.

Finally, there is a “name and shame” aspect of the new regulations. The proposed changes include the introduction of Form 8-K Item 1.05 and Regulation S-K Item 106. Form 8-K Item 1.05 requires registrants to disclose any cybersecurity incident they deem material. The company must describe the nature, scope and timing of the incident, as well as its material impact or reasonably likely material impact on the registrant’s financial condition and operational results. Compliance with the incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K is set to commence 90 days after the date of publication in the Federal Register or December 18, 2023, for all registrants except smaller reporting companies. Smaller reporting companies will have an additional 180 days, with compliance starting on the later of 270 days from the effective date of the rules or June 15, 2024. All registrants must tag disclosures required under the final rules in Inline XBRL one year after initial compliance with the related disclosure requirement.

These disclosure requirements focus on materiality of the incident, and not just the nature of the data breached. Indeed, incidents may be material without any actual breach of data. Since companies are loath to disclose such incidents—for fear of both a drop in share price and loss of reputation (Gentlemen! We’ve got to keep our phony baloney jobs!), the best way to avoid disclosing a material incident is to not have a material incident. So, in this regard, the reporting requirements might cause companies to do a better job at securing their infrastructure and that of third parties upon which they depend.

Practical Advice for Navigating the New Regulatory Landscape

Given the complexities of these regulations, companies can take the following steps:

Embrace Proactivity: Adopt a proactive approach to cybersecurity, anticipating potential threats and formulating strategies in advance.

Engage the Board: Regularly inform the board about cybersecurity risks and incidents to align business and cybersecurity strategies.

Conduct Risk Assessments: Regular risk assessments can identify potential vulnerabilities and threats.

Create an Incident Response Plan: Develop a plan for efficient response and communication during cybersecurity incidents.

Determine Materiality: Establish guidelines for determining the materiality of cybersecurity incidents.

Provide Tailored Disclosures: Strive for detailed, company-specific disclosures, balancing necessary information with protecting sensitive details.

Build a Compliance Team: Assemble a team responsible for ensuring compliance with the new regulations.

Invest in Cybersecurity Education: Regular training for all employees can create a robust defense against many cyber threats.

Invest in Technology: Advanced cybersecurity technologies can enhance detection and response capabilities.

Consider Cyberinsurance: Cyberinsurance can offer additional protection against the financial impact of cybersecurity incidents.

Manage Your Vendors: Have a strong vendor management program, with contractual obligations on security and incident reporting.

Focus on Resilience: Emphasize recovery as well as security, including how to survive an attack, not just prevent it.

Educate: Get senior management and the board involved and educate them on how to ask penetrating questions.

Justify your Resource Allocation Decisions. You don’t have to fund every project just because it has the word “cybersecurity” in it, but you will need to justify your spending decisions.

Understand the Risks of new Technologies. AI, quantum computing, cloud and other technologies show great promise, but the risks must be identified and managed. Discretion is the better part of valor.

Conclusion

The new SEC regulations mark a paradigm shift in cybersecurity risk governance. Their effectiveness hinges on careful execution and enforcement, balancing the need for transparency without compromising security. They present an opportunity for companies to review and enhance their cybersecurity practices. It’s a challenging journey, but with strategic planning, proactive measures and constant vigilance, companies can effectively navigate this evolving landscape.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 208 posts and counting.See all posts by mark