What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?
This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.
Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.
The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.
Axio’s CEO, Scott Kannry, wrote about this just last October:
Cybersecurity should be at the top of every upcoming executive and board of directors meeting. Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between. But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.
What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures:
- Quantify your exposure in financial terms. As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
- Evaluate the caliber of your current cyber program within a maturity-based framework. This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
- Maintain adequate insurance and reserves to recover from a cyber incident. This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
- Benchmark your performance against your peers. Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.
When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”
We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.