According to a press release yesterday from the United States Securities and Exchange Commission (SEC), the agency has "adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures."
"Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors," said SEC Chair Gary Gensler. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them.”
Most cybersecurity professionals were expecting the new regulations to go into affect in October of this year, so this news is an eye-opener for CISOs and other business leaders.
[RELATED: SEC to Put More Onus on Corporate Boards for Cybersecurity]
Jerry Perullo, Cybersecurity Advisor, Founder, and Professor, added this perspective on the news in a LinkedIn post:
"I'm pleased to see thoughtful consideration of the comments many of us submitted. Key takeaways and changes from the original proposal include:
- The 4-day timeline for incident disclosure remains, but requirements wisely shift from details on the incident to a focus on material impact.
- The Commission migrated from 'policies and procedures' to 'processes' on program disclosure. This will free organizations to keep policies focused on practical, specific details that are relevant to the audiences bound by them and avoid the trend of policies becoming static marketing documents.
- The final rule is far less prescriptive in the program elements required for disclosure, adopting a more principle-based approach that will allow a variety of approaches to satisfy the spirit of articulating a risk management approach. Given the fast-changing nature of adversarial threats, this should allow firms to operate adaptive programs that can quickly pivot in response to changing threats.
- The Commission prudently rejected calls for mandated cyber risk quantification.
- There is a carve-out for incident disclosures that could pose risks to national security or public safety.
- The confusing concept of immaterial incidents 'aggregating' into a material issue has been removed.
- There will not be a requirement to disclose whether a firm has a CISO, given broader requirements to disclose the positions or committees responsible for managing cyber risk. While my opinion may run contrary to those of many CISOs, I believe many registrant firms can manage cyber risk effectively with cross-functional non-CISO management if adequately informed and empowered.
- The requirement to disclose 'the cybersecurity expertise, if any, of a registrant's board members' has been rejected. While I selfishly might have seen this proposal as helpful to my own corporate governance work, I agree with the Commission that a broader principle-based disclosure of cyber risk management processes will empower organizations to feature cyber expertise on the Board when it is appropriate for that firm's risk profile while not diminishing the credentials and risk management abilities of Directors without formal cyber-specific experience.
- Smaller companies are not exempted from these rules. I feel this is entirely appropriate given the modifications made throughout the ruleset to give companies of varying size and, more importantly, risk level to adopt and assert appropriate processes for compliance.
In sum, I'm absolutely pleased with the rulemaking process and final result here. Well done, U.S. Securities and Exchange Commission."
[RELATED: Less than 10% of Fortune 500 Ready for New SEC Cyber Regulations]
The new regulations were approved by a 3-2 vote.
A few days prior to the vote, Nakul Goenka, Founder of the Houston Legal Tech Association, wrote this post on LinkedIn breaking down the implications of the now-enacted regulations.
"There are five main disclosure requirements which the SEC is proposing:
1. Reporting of 'material' cybersecurity incidents.
2. Ongoing reporting of 'material' cybersecurity incidents.
3. Disclosures of cybersecurity policies, governance and management.
4. Disclosure if any Director has cybersecurity expertise.
5. Disclosure for foreign private issuers."
Check out the article for specifics to all five disclosure requirements.
Brian Walker, Founder and CEO of The CAP Group, had this to say in a LinkedIn post:
"Today's SEC vote requiring material breach disclosures appears to mostly affect CISOs and leadership teams more than board directors but disclosure rules have major implications for all stakeholders.
According to World Economic Forum's Global Security Outlook, 14 market days after a security breach goes public, average share price bottoms out and underperforms NASDAQ by -3.5% and even 6 months later is still -3.0% under the NASDAQ.
While it seems the SEC is taking a cyber reporting path that aligns more with operational security than governance, investors and the general public will likely continue to monitor companies' cyber governance expertise to mitigate the financial and reputational risk related to breach disclosures."
[RELATED: InfoSec Leaders Weigh in on New SEC Rules Making CISO Hotseat Hotter]
