After several months of anticipation, the SEC finally voted to adopt new cyber rules for publicly traded companies. This piece provides a high-level summary of the rules and advice for CISOs on next steps.
SEC Cyber Rules
The SEC has voted to adopt new rules requiring publicly traded companies to enhance and standardize disclosures of ‘material’ cyber incidents. Under the new rules:
- Companies will be required to file a Form 8-K to report material cyber incidents within four days of determining that an incident will have a material impact:
- The SEC “streamlined” its requirements to focus more on the potential effects of a cyberattack, rather than the technical details.
- The U.S. Attorney General may request a reporting delay of 30 days if immediate disclosure could have national-security or public-safety concerns.
- In a change from the proposed rules, companies won’t need to disclose their boards’ cyber expertise, but will need to describe their board’s process for overseeing cyber risks.
- The SEC’s final rules will take effect 30 days following publication in the Federal Register.
- As of Dec. 15, 2023, companies must also begin describing their process for identifying material cyber incidents in their annual SEC reports.
The SEC scrapped a provision requiring companies to disclose board members’ cyber expertise; however, directors must still exercise oversight of cybersecurity risk management processes & those processes must be detailed in annual reports.
George Gerchow, IANS Faculty maintains that the ruling is a great step towards achieving the accountability needed to protect both consumers and the investor community:
“The reality is that most companies are ill-prepared to meet the requirement of reporting an incident of material impact within four days. One thing to note is that this ruling doesn’t require the reporting of technical details, but in the
event of a breach, it will inevitably come down to tech at some point -- and no company is prepared for that. While we are still waiting what the penalties for failing to report will be, we can assume from incidents like Uber and SolarWinds that it
will lead to a DoJ situation where individuals’ jobs will be on the line.”
Next Steps for CISOs
For CISOs, we recommend the following:
- Revisiting current incident disclosure policies & compare them with the new regulations.
- Discussing what “material” incidents mean to your org & practice disclosures.
- Educating executives on the changes & what they mean for the business.
- Reviewing board oversight structure & responsibilities on cyber matters.
- Holding tabletops to educate management team & the board to prepare for cyber incidents.
- Using analytics to better understand the financial implications of your organization’s cyber risk exposure.
- Retaining third-party auditors to assess your program.
Are CISOs Ready for the Board?
The new SEC rules give security executives an opportunity to connect security issues to the board’s risk oversight and strategic leadership responsibilities. In its ruling, the SEC re-emphasized the materiality of cyber risk, and the rules create
an opportunity to elevate cyber’s roles in the business, the board’s role in cyber oversight as well as cyber expertise on public boards.
However, in our research study, we found a majority of CISOs lack the broad business experience
and advanced degrees that are commonly sought for board membership - only 32% of Russell 1000 CISOs have professional experience outside of cybersecurity & 38% have an advanced degree. On most boards, cyber understanding is insufficient and our
study also reveals most companies lack even a single board director with cybersecurity expertise. CISOs appear to be logical candidates to fill this gap, but the question is whether CISOs possess the qualifications to serve as effective board members.
For CISOs, more work is required to prepare for a board position. Here are the traits boards seek:
- Broad experience: A holistic understanding of the business, able to distill data & make decisions.
- Scale: A global perspective and ability to navigate a wide array of stakeholders.
- Advanced education: Enhances credibility of the board with external stakeholders.
- Diversity: Brings different perspectives to help identify blind spots.
- Infosec tenure: Deep domain expertise, able to ask the right questions & challenge assumptions.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.