U.S. SEC Moves to Tighten Security on the Industry's "Digital Doors"

April 25, 2022
  • Investor Services
BBH’s Adrian Whelan looks at three significant points from the SEC’s recent proposals for new cybersecurity related rules.

3.5 million. I did a double take when I saw this figure, which represents the number of unfilled cybersecurity job vacancies Cybercrime Magazine1 suggests will exist globally by 2025. Then again, for the past several years, cybercrimes and data breaches across industry, governments, and between people have risen drastically. With digitization changing our work and personal lives since the Pandemic, the increased prevalence of cloud-based business models and the added concern of geo-political conflict and war, society is rightly bolstering against cyber threats.

The current threat is so prevalent that it recently prompted U.S. President Joe Biden to raise it loudly to the private sector as a national security concern.

Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors”

Given the wider societal concerns, it’s not surprising that regulators too have bumped cybersecurity to near the top of their own list of priorities. Well publicized hacks, phishing and denial of service attacks2 continue to occur with victims ranging from public companies to government institutions to individuals. In March 2022, the U.S. Securities and Exchange Commission (SEC) moved to propose new cybersecurity related rules. Here are three significant points from the SEC proposals:

1. Reporting Urgency

The new rules require much more detail and greater urgency to the reporting of material cybersecurity incidents. The requirement to disclose such events within a four-day limit significantly moves the dial in terms of time to assess and report when an event occurs and is a challenge to anyone required to report. Some comfort may be found in the fact that the trigger for the four-day reporting period is when a company makes the materiality determination, not when the incident is discovered, but regardless, timelines remain tight to adhere to the SEC’s new deadline.

One of the reasons behind the timebound reporting is that increasingly regulators want to have a sense of whether an incident is specific to a company or a systemic assault on the market. It is a huge consideration, but currently the SEC has no real way of knowing because there is no formal reporting regime in place. This systemic risk is increased where geo-political conflict is on the rise and nation state actors look to use cyber as an instrument of war.

2. Reporting Detail

The level of reporting detail is also greatly enhanced with reporting entities having to specify when the incident was discovered, a description of what happened, whether data was stolen or abused, the effect of the incident on the company’s overall operations and whether the problem has been resolved. However, the new rules do not require companies to release technical information about their response or cybersecurity systems.

The incident disclosure rule takes precedence over other considerations, such as an ongoing investigation by law enforcement. The SEC said it is “critical to investor protection and well-functioning, orderly, and efficient markets that investors promptly receive information regarding material cybersecurity incidents.”

Some companies have expressed concerns that by requiring disclosure of their cyber incidents so quickly, it could give wrongdoers a chance to exploit existing vulnerabilities before they are patched or resolved. In addition, there are worries that with two or more reports of cyber deficiencies, companies could become marked for attack or that by making some information public they could unintentionally provide a playbook to potential hackers.

The new rules also add various qualitative disclosure requirements to companies’ quarterly and annual reports as part of Regulation S-K.3 Companies would have to disclose any material changes or additions within their 8-K filings. These disclosures generally request an outline of policies and procedures to identify, manage, and report on cybersecurity risks – including board and managerial responsibilities, competencies within the firm, or use of third-party expertise utilized to conduct risk assessments.

The proposed method of reporting will also allow for comparability since disclosures will be of consistent format and the information submitted in Inline XBRL format.

3. Greater Accountability

The SEC measures may require companies to examine whether they have sufficient safeguards in place in connection with their use of third-party providers, which are used to process record keeping and dissemination of documentation. The topic of oversight of outsourcing models and operational resiliency of third-party service providers is already an area of intense regulatory focus and one which the SEC embraces within these cybersecurity proposals. It is a classic case of the chain only being as strong as its weakest link when it comes to cyber defenses.

Another change would require disclosures about the role of the board of directors in cybersecurity management, such as whether specific board members have responsibility for managing cybersecurity risks and how the board is told about risks when they occur. The cybersecurity expertise of directors would also have to be publicly disclosed in their filings. Financial services firms may not have specific cybersecurity competency in-house or on the board but will the future dictate that this is a “must-have” rather than a “nice-to-have”, or are the days of fully outsourcing cybersecurity competency to third parties over?

Many managers already have experienced cybersecurity teams in place. But the new rules will require the firm to report on the governance process of disseminating risk information up through the business lines to the board of directors. The new SEC rules bring cybersecurity into much greater scrutiny because they mandate individual accountability, which has been voluntary up to this point. Senior executives can delegate cybersecurity tasks but not the responsibility for carrying them out.

The SEC proposals will likely draw much scrutiny within the comment period, which runs to May 9, 2022, as the U.S. capital markets look to ensure tighter security around their digital doors.

Neither Brown Brothers Harriman, its affiliates, nor its financial professionals, render legal advice. Please consult with attorney for advice concerning your particular circumstances.

Up Next
Up Next

Gensler's Huge Year Ahead

As the U.S. Securities and Exchange Commission pursues an agenda more aggressive than we have seen from the market watchdog in decades, its leader must find a delicate balance between fostering market growth and innovation with investor protection principles.


1 https://cybersecurityventures.com/jobs/
Regulation S-K is a prescribed regulation under the US Securities Act of 1933 that lays out reporting requirements for various SEC filings used by public entities

Brown Brothers Harriman & Co. (“BBH”) may be used to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries.This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2022. All rights reserved. IS-08070-2022-04-19

As of June 15, 2022 Internet Explorer 11 is not supported by BBH.com.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see bbhluxembourgfunds.com

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction