New SEC cyber rules will force businesses to think beyond IT security

The U.S. Securities and Exchange Commission (SEC) is expected to finalize new rules on cybersecurity risk management in the coming months. The rules will require every publicly traded company to file disclosures with descriptions of their security strategy, governance, and risk management.

Companies will need to explain to shareholders how they assess cyber risk, describe their security policies, rapidly report material cyber incidents and demonstrate a significant level of board oversight on cybersecurity issues. 

The SEC rules are qualitatively different from existing cyber regulatory frameworks, such as HIPAA and PCI DSS, which skew toward enforcing technical controls handled by the IT department. The SEC rules, in contrast, demand that C-suites and boards demonstrate a strategic approach to managing cyber risk. 

Into the Spotlight

The consequence of poor compliance is significant – no longer a ding on a regulatory audit, but instead a potential loss of shareholder confidence. 

By requiring narrative discussions in SEC filings, the rules will leave it to investors and the public to judge the thoughtfulness of the firm’s security strategy. Suddenly, a company’s security posture will be a major subject of analysis on Wall Street and an ingredient in picking market winners. 

It should be expected that the first set of filings to include cyber disclosures will be heavily scrutinized. Analysts will be able to determine which companies have rigorous security risk management in place and identify those who are attempting to skate by. 

To prepare for the looming rules, CEOs, CISOs, and board directors should ask themselves four key questions. If explored in sufficient depth, these questions will guide thoughtful disclosures that demonstrate the forward leaning approach to cyber risk that investors want to see.  

Are We Assessing
Risk Comprehensively?

Most cyber risk assessments are conducted at a tactical level and produce results that are helpful for CISOs and their cybersecurity teams, but of limited utility to executive decision makers. 

They tend to be highly technical in nature – exploring the vulnerabilities in a particular information system, for example.

Cyber risk assessments rarely look beyond IT to adequately assess broader drivers of cyber risk, which include economics, geopolitics, social attitudes, government policies and emerging technologies. Nor do they look across the enterprise to examine how cyber risk may be heightened by certain business decisions or weak security practices in other domains, such as physical security, insider risk and crisis management. 

As companies begin to disclose descriptions of their cybersecurity risk assessment programs, these shortcomings will become evident. Shrewd investors will ask, and then demand, that cyber risk assessment become more comprehensive.

To meet the call, companies should implement strategic risk assessment programs that assess enterprise-wide threats, vulnerabilities, trends and drivers. They might consider, for example, how the company’s industry exposes it to greater risk from nation-state attacks, or how the business’s culture affects levels of security consciousness among employees. 

These assessments should be multidisciplinary, pulling input from various business units, leveraging expertise in financial, political, and operational risk, and contemplating impacts to the company's business, operations, and financial condition.  

How Mature is Our Cybersecurity, Really?

The cybersecurity field has an alphabet soup of maturity models – CSF, CMMI, COBIT, ESRM, etc. – meant to assess an organization’s overall ability to manage cyber risk. These tools should be employed by companies preparing for the SEC rule release. 

A common theme across them is that maturity is largely synonymous with continuous improvement and cross-enterprise coordination. In practice, though, organizations rarely take a true organization-wide approach. Instead, cybersecurity policies and procedures are left to the CISO’s office, which traditionally has limited influence across the broader business. 

Disclosures, which must detail policies and procedures on a wide range of issues – intellectual property theft; fraud; business continuity; third party risk management; legal, litigation, and reputational risk – will necessarily involve a wide swath of corporate stakeholders. 

Legal counsel, human resources, facilities, physical security, communications, vendor relations and government relations, to name a few. When considering how to file disclosures, companies should go beyond a rote list of policies and explain how the organization’s business units collaborate on a holistic approach to cyber risk. 

One best practice is to stand up a security working group or steering committee – and it is critical that its scope be appropriately broad to consider issues beyond traditional IT security. 

How Are We Handling Incident Reporting?

Once the new rules go into effect, listed companies will be required to file reports with the SEC every time a material cyber incident impacts their business. The reports must be filed within four days once the company has deemed an incident to be "material,” a determination influenced by the incident’s impact to the company's business, operations and financial condition.  

Rapidly determining the materiality of every cyber incident and streamlining reporting to regulators will require many companies to develop a significantly more robust incident response and management process. 

Most importantly, incident reporting must seamlessly integrate business and financial factors that could contribute to an incident’s materiality. Businesses will need to quickly assess and calculate costs incurred due to: 

• Business interruption
• Decreases in production and delays in product launches
• Payments to meet ransom and other extortion demands 
• Incident remediation costs
• Increased cybersecurity protection costs (e.g.,  increased insurance premiums, organizational overhauls)
• Lost revenues from intellectual property theft
• Post-breach legal expenses
• Employee harm and long-term impacts to brand, reputation and shareholder value.

Is Security Aligned
with the Business?

The disconnect between cybersecurity and the business seems to have only worsened with time. Many companies have large and sprawling cybersecurity operations that function with little tether to the company’s top management. 

These teams have developed their own language and ways of working and, for many years, C-suites and boards have been content to mostly ignore them. As cyber-attacks have become increasingly destructive and newsworthy, the lack of oversight and accountability has become glaring. 

The SEC rules are focused on closing this gap. They seek to enforce this through disclosure requirements on how the board of directors oversees cyber risk management and how reporting chains ensure a two-way flow of information on cyber issues. 

In addition to ensuring a regular cadence of briefings and meetings, companies should put new programs in place to deepen board members’ understanding of cybersecurity and, conversely, cybersecurity practitioners’ understanding of core business concepts. 

Meanwhile, as cyber risk assessment and maturity analysis go deeper into non-IT areas, businesses will benefit from more natural synergies between security and the business. 

The SEC rules are a sign of things to come. In the wake of high-profile hacks against Colonial Pipeline and SolarWinds, and mounting threats from China, Russia and other foreign powers, the federal government is poised to take a much harder regulatory approach to corporate security. 

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the implementation of the Biden administration’s National Cybersecurity Strategy will put further pressure on the private sector to take a proactive approach to cyber risk. This should represent a call to action by the cybersecurity community towards advancing business, operational, and financial alignment to cybersecurity threats.