Given the wider societal concerns, it’s not surprising that regulators too have bumped cybersecurity to near the top of their own list of priorities. Well publicized hacks, phishing and denial of service attacks2 continue to occur with victims ranging from public companies to government institutions to individuals. In March 2022, the U.S. Securities and Exchange Commission (SEC) moved to propose new cybersecurity related rules. Here are three significant points from the SEC proposals:
1. Reporting Urgency
The new rules require much more detail and greater urgency to the reporting of material cybersecurity incidents. The requirement to disclose such events within a four-day limit significantly moves the dial in terms of time to assess and report when an event occurs and is a challenge to anyone required to report. Some comfort may be found in the fact that the trigger for the four-day reporting period is when a company makes the materiality determination, not when the incident is discovered, but regardless, timelines remain tight to adhere to the SEC’s new deadline.
One of the reasons behind the timebound reporting is that increasingly regulators want to have a sense of whether an incident is specific to a company or a systemic assault on the market. It is a huge consideration, but currently the SEC has no real way of knowing because there is no formal reporting regime in place. This systemic risk is increased where geo-political conflict is on the rise and nation state actors look to use cyber as an instrument of war.
2. Reporting Detail
The level of reporting detail is also greatly enhanced with reporting entities having to specify when the incident was discovered, a description of what happened, whether data was stolen or abused, the effect of the incident on the company’s overall operations and whether the problem has been resolved. However, the new rules do not require companies to release technical information about their response or cybersecurity systems.
The incident disclosure rule takes precedence over other considerations, such as an ongoing investigation by law enforcement. The SEC said it is “critical to investor protection and well-functioning, orderly, and efficient markets that investors promptly receive information regarding material cybersecurity incidents.”
Some companies have expressed concerns that by requiring disclosure of their cyber incidents so quickly, it could give wrongdoers a chance to exploit existing vulnerabilities before they are patched or resolved. In addition, there are worries that with two or more reports of cyber deficiencies, companies could become marked for attack or that by making some information public they could unintentionally provide a playbook to potential hackers.
The new rules also add various qualitative disclosure requirements to companies’ quarterly and annual reports as part of Regulation S-K.3 Companies would have to disclose any material changes or additions within their 8-K filings. These disclosures generally request an outline of policies and procedures to identify, manage, and report on cybersecurity risks – including board and managerial responsibilities, competencies within the firm, or use of third-party expertise utilized to conduct risk assessments.
The proposed method of reporting will also allow for comparability since disclosures will be of consistent format and the information submitted in Inline XBRL format.
3. Greater Accountability
The SEC measures may require companies to examine whether they have sufficient safeguards in place in connection with their use of third-party providers, which are used to process record keeping and dissemination of documentation. The topic of oversight of outsourcing models and operational resiliency of third-party service providers is already an area of intense regulatory focus and one which the SEC embraces within these cybersecurity proposals. It is a classic case of the chain only being as strong as its weakest link when it comes to cyber defenses.
Another change would require disclosures about the role of the board of directors in cybersecurity management, such as whether specific board members have responsibility for managing cybersecurity risks and how the board is told about risks when they occur. The cybersecurity expertise of directors would also have to be publicly disclosed in their filings. Financial services firms may not have specific cybersecurity competency in-house or on the board but will the future dictate that this is a “must-have” rather than a “nice-to-have”, or are the days of fully outsourcing cybersecurity competency to third parties over?
Many managers already have experienced cybersecurity teams in place. But the new rules will require the firm to report on the governance process of disseminating risk information up through the business lines to the board of directors. The new SEC rules bring cybersecurity into much greater scrutiny because they mandate individual accountability, which has been voluntary up to this point. Senior executives can delegate cybersecurity tasks but not the responsibility for carrying them out.
The SEC proposals will likely draw much scrutiny within the comment period, which runs to May 9, 2022, as the U.S. capital markets look to ensure tighter security around their digital doors.
Neither Brown Brothers Harriman, its affiliates, nor its financial professionals, render legal advice. Please consult with attorney for advice concerning your particular circumstances.