New SEC Rules Mandate Cybersecurity Disclosure

What Is The Proposed SEC Cybersecurity Disclosure Rule and Why Is It Important?

It’s rare that we go a day without hearing about cybersecurity and resilience in one form or fashion. Maybe it’s a new form of ransomware that can exploit files, perhaps a geopolitical issue that may cause a surge in threat activity. Perhaps an unknowingly compromised third party providing services to well-known (or not-so-well-known) entities that captured personally identifiable information (PII). We can all think back over the last several weeks and probably recall several, if not more, whether or not we’re cybersecurity professionals.

With continual emphasis on the dynamic cybersecurity landscape, regulatory bodies have continued to provide frameworks, advice and guidelines for certain industries and activities being performed. Recent examples include the FDIC, OCC and Federal Reserve coming together for security incident reporting regulations for their covered entities in 2022. However, on March 9, the SEC issued a proposed rule that will apply to over 8,000 public and foreign SEC registrants focused on strengthening cybersecurity posture.

The proposed cybersecurity disclosure rule has three main components: incident disclosure, cybersecurity program disclosure and Board of Directors education disclosure.

Specifically, the proposal would:

 

• Require current reporting about material cybersecurity incidents on Form 8-K;
• Require periodic disclosures regarding, among other things:
  • A registrant’s policies and procedures to identify and manage cybersecurity risks;
  • Management’s role in implementing cybersecurity policies and procedures;
  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
  • Updates about previously reported material cybersecurity incidents; and
• Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

Our Perspective

Cybersecurity activities continue to be top of mind across industries. We have seen recent cybersecurity-centered proposals for registered investment advisors and funds, but the proposed SEC rule removes the industry lens and captures the ongoing importance of corporate governance and security awareness. For instance, the specific elements highlight the need for cybersecurity experience and training directly within the Board of Directors.

The proposed rules center on leading practices organizations should strive to achieve, even if not required by regulation to do so. The ruleset emphasizes scalable programs designed to integrate cybersecurity as an enabler, and while the details of the final rule may vary slightly, the principles of risk management, governance, resilience and attention to third parties are best practice areas for cybersecurity programs and can’t be ignored.

The time to act is now. Starting a programmatic approach today will drive readiness success when the disclosure rules become law. As the proposed rules are wide-ranging in coverage and include multiple facets of a cybersecurity program, waiting to start an integrated approach will require organizations to play catch-up across myriad areas, including:

As the trusted cybersecurity partner for many leading organizations, our goal is to quickly highlight these elements to drive awareness and promote cybersecurity across the enterprise. With these proposed rules impacting both financial reporting and operational activities, there has never been a more important time to elevate the cybersecurity conversation within your organization.

Optiv stands ready to help. Please don’t hesitate to contact us at info@optiv.com.

Comments are closed.