In early 2022 the US Securities and Exchange Commission (SEC) proposed significant amendments to the information security requirements for publicly traded companies. If these proposed changes are formalized into law, companies will be required to make periodic disclosures, including updates on previously reported material cybersecurity incidents, company policies and procedures to identify and manage cybersecurity risks, management’s role in implementing these policies, and the board of directors’ cybersecurity expertise and risk oversight activities.
The proposed changes would require companies to file Form 8-K disclosure updates for reporting any material cyber incident within four business days of their occurrence. A “material” incident is defined as anything that could potentially impact an individual’s decision to buy, hold, or sell a company’s stock.
When a material incident is discovered, the company would be required to report, to the extent known:
- When the incident was discovered and whether it remained ongoing
- A brief description of the incident
- Whether data was taken, changed, accessed, or used for any unauthorized purpose
- How the incident affected the company’s operations
- Whether the company had remediated, or was in the process of remediating, the incident.
All in all, under the new rules, companies and their senior leadership will be held to a higher standard. They will be required to maintain reasonable cybersecurity policies and procedures, explain how senior leadership and the BOD provide oversight, and report incidents in a way that provides appropriate information to shareholders.
Our team at MAKINSIGHTS is closely following the proposed changes and analyzing the potential impacts on our clients.
Our view is that SEC’s final ruling would need to strike a balance between providing investors with the information they need to know to make informed investment decisions while also minimizing the potential risks of disclosure leading to harm. Additionally, it is clear that the SEC expects the BOD and Senior Management to provide strong oversight and enact measures to ensure that oversight is meaningful.
One key client concern is how the proposed regulations could affect incident response efforts, specifically during the containment and remediation stages. Additionally, there is worry that the public disclosure of incident information could be utilized by malicious actors to potentially cause additional harm.
Net/Net, it is important for companies to review and prepare for the potential impact of these proposed changes as according to recent reports, the SEC has announced plans to publish a final ruling on the proposed amendments in April 2023. [Update: The SEC has delayed the announcement of the final rule until at least October of 2023. While there are several industry groups that have voiced support, it appears that the American Chamber of Commerce, with its strong lobbying body in support of American businesses, has identified some issues with the implementation of the rule that the SEC is re-evaluating.]
How MAKINSIGHTS can help
It is crucial for Information Security & Risk Management leaders to evaluate their company’s cybersecurity governance approach: policies, processes, and procedures, as well as the way in which key roles such as the board of directors and senior management work together via committees to realize such strategies. It is also clear that business continuity, contingency, and recovery plans should dove tail with Incident Management and regulatory oversight.
Companies should assess the expertise they have in place for identifying and managing cybersecurity risks and implementing cybersecurity policies and procedures. Furthermore, directors serving publicly traded companies should review how the board organizes its oversight of cybersecurity risk and engages with senior management to ultimately enact strategy. These evaluations should be conducted on a regular basis, regardless of the SEC’s final decision, as the cyber threat landscape is constantly changing, and attacks are becoming more sophisticated and relentless.
Our information security health check service offers a detailed evaluation of your current cyber security posture, providing valuable insights and recommendations to help you address industry standards, leading practices, and the recently proposed SEC cybersecurity guidance while also embracing components of the National Association of Corporate Directors instruction on the role of the Board of Directors. Our assessments are based on widely adopted frameworks such as NIST CSF and ISO 27000, giving you the peace of mind that your organization’s security measures are in line with the latest industry standards.
Additionally, as part of our service, we will conduct a thorough assessment of your organization’s cyber security maturity level. This will enable you to identify key areas for improvement, prioritize your distinct efforts, and develop a comprehensive plan for the future. This analysis will give you a clear understanding of your organization’s strengths and weaknesses, helping you to make informed decisions and allocate resources effectively.
Our team of experts can assist your organization in understanding the proposed SEC changes and implement effective strategies to comply with the upcoming new requirements. Please feel welcome to book a consultation with us via: ideas@makinsights.com or through calendly [ https://www. calendly.com/create-insights ].