The Securities and Exchange Commission (SEC) is set to put in place a new set of directives that will make organizations more responsible for their cybersecurity measures and activities. The move is intended to shore up the confidence levels of their investors, by providing greater levels of transparency about the cybersecurity fabric of the organization. It is also aimed at ensuring organizational health, and market and economic stability as a consequence.
The Commission released an advisory to the effect seeking responses from organizations that would help formulate the rules. The rules, which are expected to come in force by Sep 2022, will apply to all public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
The SEC’s new rules will improve on the 2018 Interpretive Release issued by the SEC and the 2011 interpretive guidance (2011 Staff Guidance) issued by the Division of Corporation Finance.
The SEC’s new rules will also cover the gamut of cyber security from the meaning and impact of a cyber incident, the role and responsibility of the management in the organization towards cybersecurity systems, the manner of reporting on incidents, to the suggestions on an organizations’ approach to cyber entities in the course of business.
The numbers stack up
The statistics on the increasing presence, growth rate and costs of cybersecurity alone make the case for policy change. The SEC’s advisory cites the increasing role of digital in the US economy. The US Department of Commerce, Bureau of Economic Analysis (BEA) puts the contribution of digital in 2019 at 9.6% of the country’s GDP, one rank below the manufacturing sector, with a growth rate surpassing that of the US economy. [1]. Keeping pace with this is cybercrime. The phenomenal growth rate of digital was matched by a corresponding increase in cybersecurity attacks, with 2021 witnessing more cyberattacks than the previous year [2] [3].
Finances Online, a leading Business Software Discovery & Research Platform, in its article on cybercrime statistics say cybercrime costs American companies over half a billion dollars annually. The costs of data breach too showed alarming trends, with an increase of 10% over the previous year [4]. Also, data breaches compromise millions of user accounts [5].
Why the new rules
Issuing the advisory, the SEC points out that “Public company investors and other participants in the capital markets depend on companies’ use of secure and reliable information systems to conduct their businesses. Since a significant and increasing amount of the world’s economic activities occurs through digital technology and electronic communications, cybersecurity threats and incidents pose an ongoing and escalating risk to public companies, investors, and market participants.”
Small and medium-sized organizations, which are largely targeted and which more often than not are forced out of business, are not the only ones facing this menace. The Annual Report of the Council of Economic Advisers, (Mar. 2019) states that even Fortune 500 companies with large resources at their disposal for cyber threat detection are subject to these attacks [6].
The new rules will also attempt to bring consistency and timeliness in the manner and scale of reporting on cybersecurity incidents, something that has been missing in the past. The SEC’s advisory cites the Audit Analytics data for the year 2020, when it took on average 44 days for companies to discover breaches, and then in addition, an average of 53 days and a median of 37 days for companies to disclose a breach after its discovery.
Benefiting from the new rules
The new policies will address these areas of concern. Greater transparency via the proposed policies would benefit a number of entities:
- Investors would gain from the more timely and consistent disclosure. This would help their decision making and confidence and improve their understanding of the registrant’s cybersecurity risk profile. Availability of information would also lower their investment search costs. They would also be able to make informed decisions about security trading and be less susceptible to market information asymmetry as a consequence of malicious actors acting on delayed or unreported cyber incidents.
- Organizations would reduce losses due to business interruptions, damage to reputation, violation of intellectual property rights, tanking of share values, possible extortions from cyber criminals, erosion of investor confidence and market competitiveness, litigation costs associated with data breach etc. The new rules are also expected to lower the costs of capital for an organization, especially if it is invested in the cybersecurity business. Lowered capital costs would mean better liquidity and access to capital markets. It is also foreseen that organizations would have a better security mindset and approach to cybersecurity vendors whose services they avail. The proposed rules cite that third party data breaches are on the rise. Ponemon Research Institute pegs the percentage of third party-associated breaches at 63% of all breaches [7].
- The new rules are also envisaged to have indirect economic benefits for consumers, who might be in a better position for the reporting to decide which companies to trust with their personal data. Similarly, companies in the same industry facing similar cybersecurity threats, are foreseen to benefit from such reporting.
- The economy as a whole and critical infrastructure and national security industries would be less susceptible to large-scale cybersecurity attacks. It is also foreseen that the new rules would result in greater market and organizational efficiencies, and promote competition among firms.
What’s in the box
The SEC’s proposal identifies cybersecurity as the number one threat to business growth and the international economy in the next 5 or 10 years. It does not just offer considerable food for thought to the cybersecurity world, but goes beyond Security Operations Centers (SOCs) and cyber fraud teams, by including a management perspective.
Key disclosure touchpoints are:
- Full and timely details of cybersecurity incidents by a registrant within 4 business days of the same being found to be material (A) (E) (as opposed to noticing the incident) – amendment to Form 8-K
- Periodic reports of the registrant to be updated with regard to previously-reported cybersecurity incidents, including remedial measures taken (B);
- Full explanation of registrant’s Risk Management, Strategy and Governance (C) regarding Cybersecurity Risks policies and procedures, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation
- Disclosure about the registrant board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk (D), cybersecurity expertise, and role in implementing the registrant’s cybersecurity policies, procedures, and strategies. – New item 106 under Regulation S-K, for points 2,3 and 4
- Whether any member of the registrant’s board (F) has expertise in cybersecurity, and if so, the nature of such expertise – amendment to item 407 of Regulation S-K
- Inline XBRL tagging of information reported (as opposed to ASCII or HTML tagging, with a view to make the disclosures both machine and human-readable, and thereby easily accessible, and investor-friendly in terms of referencing and reading.
Key definitions in the proposed rules elaborated
(A) The SEC’s new rules propose that a company need conduct a ‘materiality analysis’ of the cyber incident evaluating the quantitative and qualitative factors of the incident in relation to consequence, magnitude of loss or liability likely and the dependence an investor would place on such information.
(B) Remedial measures taken to negotiate cyber incidents need not include technical details as these are generally thought to be give-a-ways as to the security posture of an organization, and could be misused by malicious actors.
(C) The SEC’s new rules underscore the role of the Board in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies.
(D) The new rules address the assessing and managing of cybersecurity risks by the registrant’s management, their relevant expertise on the subject, and specifically to the board’s oversight of cybersecurity risk. Processes and practices surrounding cyber risks are also included.
(E) The proposed rules do not require quantifying the impact of the incident as this is perceived as being a trigger for overreaction to the disclosure resulting in mispricing of the registrant’s stock prices.
(F) The proposed rules clarify the meaning of board of directors, with special reference to a Foreign Private Issuer (FPI). In such a case, a foreign private issuer with a two-tier board of directors, the term board of directors means the supervisory or non-management board. In the case of a foreign private issuer meeting the reporting under the rules, the term board of directors means the issuer’s board of auditors (or similar body) or statutory auditors, as applicable.
Emphasis on the role of management and the board
In addition to the reporting of its cyber strategy, organizations are called on to report on the board of directors, giving such details as to whether the director has prior work experience in cybersecurity, and a certification or degree in the subject. Specific skills in the area would also need to be reported. In its article Top Security and Risk Management Trends for 2021, Gartner, says in its Board of Directors Survey, directors rated cybersecurity the second-highest source of risk for the enterprise after regulatory compliance. It says “Large enterprises are now beginning to create a dedicated cybersecurity committee at the board level, led by a board member with security expertise or a third-party consultant.” Gartner predicts that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today [9].
Navigating the new rules
Already an increasing number of reports of cyber incidents are showing a readiness of organizations to be more open about cybersecurity issues. Gartner predicts that areas of concern like crypto currency will experience a drop in cybercriminal activity by at least 30% by 2024 [8], due to increased transparency in the blockchain platforms deployed.
The new rules will certainly find organizations ramping up their cybersecurity arsenal with tools such as Zero Trust Architecture (ZTA) that will confer on them a plethora of benefits such as more robust security, near-zero incidents, and costs on identification and remediation.
Aurora’s experts can help organizations implement ZTA. For more information, reach out to us at sales@aurorait.com or call us +1 888 282 0696
Source:
https://www.sec.gov/rules/proposed/2022/33-11038.pdf
References
[1] US Bureau of Economic Analysis : https://www.bea.gov/system/files/2021-06/digital-economy-infographic-2019.pdf
[2] Infosecurity Magazine Article : Breach Volumes for 2021 Already Exceed 2020 Total – Infosecurity Magazine (infosecurity-magazine.com)
[3] Forbes : MORE Alarming Cybersecurity Stats For 2021 ! (forbes.com)
[4] Onwire.com : What’s New in the 2021 Cost of a Data Breach Report – OnWire – Identity and Access Management Services and Cloud Solutions (onwireco.com)
[5] Financesonline : 73 Important Cybercrime Statistics: 2021/2022 Data Analysis & Projections – Financesonline.com
[6]. Council of Economic Advisoris : https://www.govinfo.gov/content/pkg/ERP-2019/pdf/ERP-2019.pdf
[7] Ponemon Research Institute : cybergrx-ponemon-print-5.16.19.indd
Additional reading on the biggest cybercrimes : The 15 biggest data breaches of the 21st century | CSO Online
[8] Gartner Report : Criminal Cryptocurrency Transactions to Drop by 2024 | Gartner
[9] Gartner Report : Gartner Identifies Top Security and Risk Management Trends for 2021