If you’ve been paying attention to technology news lately, you’ve likely heard rumblings about the Securities and Exchange Commission (SEC) rule changes that occurred in July. You may be wondering what all the fuss is about, what led to these rule changes, and what these changes mean moving forward.
I’m going to unpack all of it here for you, so buckle up!
How Did the SEC Get Here?
It’s no secret that people and the businesses that serve them are undergoing rapid digital transformations. One can see this shift in various facets of life, from personal leisure activities to business operations. Even critical infrastructure, which is essential for the functioning of a society, now relies heavily on digital advances.
The SEC acknowledged this new reality when implementing its cybersecurity rule changes, citing factors such as business operations becoming more reliant on software; increased adoption of remote work; and rising occurrences of cybersecurity incidents, as well as financial gains from cybercrime activities. All these factors culminated in calls for bolstering the rules for publicly traded companies to enhance market and investor transparency. These demands align with similar themes of transparency from federal agencies and the White House, including the Cybersecurity Executive Order.
How Have SEC Cybersecurity Rules Changed?
The final rules included two key components. The first focuses on enhancing transparency around cybersecurity incidents, particularly those deemed “material.” Material has been defined as something that a reasonable shareholder would consider important, such as incidents that could have ramifications for customers, revenue, and so on.
These incidents will be disclosed on a new Item 1.05 Form 8K. The disclosure must describe information such as the incident’s nature, scope, timing, and also material impact on the organization and its associated operations. This would be of interest to existing and potential investors and stakeholders in an organization due to the potential financial impact of cybersecurity incidents.
The incident disclosure must occur four days following its discovery and once it has been deemed to be a material incident. Some caveats here include the U.S. attorney general’s ability to delay disclosures if they could have an impact on national security or public safety. There is also the reality that organizations rarely identify an incident immediately upon its occurrence and there is often a period of “dwell time,” which is the time that malicious actors may dwell in an environment prior to their nefarious activities being discovered. The median dwell time as reported by groups such as Mandiant is around three weeks, but it can be as high as several hundreds of days as well.
The second component of the SEC’s rules is S-K Item 106, which requires organizations to disclose their processes for identifying, assessing, and managing material risks related to cybersecurity threats. S-K Item 106 also requires organizations to disclose board- and management-level oversight of risks related to cybersecurity threats, as well as management’s role and expertise in assessing these cybersecurity threats. These rules are important for a variety of reasons, including the fact that organizations can’t identify and disclose material cybersecurity incidents effectively without established processes and capabilities. Proper oversight must start at the top.
Cybersecurity Governance and Board Accountability
The originally proposed rules included requirements for firms to disclose any cybersecurity expertise on the board. This information would be valuable to some investors and shareholders who might have used the information either to rally around firms with solid cybersecurity leadership or used it as part of an incident post-mortem to see if the firm had appropriate leadership providing cybersecurity oversight. It likely would have encouraged firms to include cybersecurity expertise in the boardroom.
Some have argued that the final version of the rules that got accepted let the board off the hook with regard to cybersecurity governance and oversight. That said, few are arguing that the final rules aren’t, at minimum, a step in the right direction.
Final Thoughts
If you’re looking for a quick summary of the rule changes directly from the SEC, it published a concise two-page document that helps lay out the background, the rule changes, and what comes next.
The SEC’s final rule changes for cybersecurity make it clear that regulators are increasingly acknowledging the role it plays in today’s economy. “We aren’t a technology company” is a phrase that has fallen by the wayside, as nearly every organization is wielding technology to effectively serve its customers and run business operations — all of which must be underpinned by the cybersecurity of that digital infrastructure.
It’s safe to say that these won’t be the last rules that add requirements related to cybersecurity for publicly traded companies, so stay tuned!
