SEC Cybersecurity Rules Set New Hurdles for Public Companies

The SEC Mandates Disclosures for Risk Management, Governance and Cyber Incidents

The Securities and Exchange Commission (SEC) this week adopted new rules requiring public companies to annually disclose their cybersecurity risk management strategies and governance methods, and to promptly disclose material cybersecurity incidents.

The regulations were revised after the SEC received more than 150 formal comments during its review process, most notably regarding limited national security/public safety exceptions to the timing of disclosures for certain cyber incidents and dropping the long-anticipated requirement that companies’ boards disclose the cyber-related expertise of board members.

It is important to note that these regulations are entirely about disclosure and do not necessarily require companies to make any specific changes to their cybersecurity risk management (or even have a risk management program at all.) That means it falls to investors and other stakeholders to decide whether a company is addressing these risks adequately.

This gives companies an opportunity to produce disclosures that don’t just provide the required information, but demonstrate a robust and improving management of cybersecurity risks. Companies will be incentivized to provide information that is perceived positively and that, in turn, will drive improvements in their practices.

Impacted companies need to consider three things:

• What, specifically to disclose, and when?
• Will the disclosures be a point of pain or a point of pride?
• How might companies take best advantage of these new requirements to both improve security and boost the confidence of investors and other stakeholders?

What is required?

The new rules were initially proposed in March 2022 to address investors’ needs for timely and reliable information related to companies’ cybersecurity risk (both potential and realized). The goal was to improve upon disclosures encouraged by the existing guidance and address these realities of today’s economy:

• Businesses are increasingly reliant on digital systems
• Supply chain dependencies and third-party systems are expanding
• The frequency and severity of cybersecurity incidents has real risk implications for companies and their stakeholders, including investors

The rules require:

• An annual disclosure that describes the cybersecurity risk management processes a company employs to address risks that materially impact or would be likely to materially impact the company
• An annual disclosure that describes the role of the board and of the management team in managing and overseeing such risks
• The timely (generally within four business days) disclosure of any material cybersecurity incident

The following table is from the final rule, as published on July 26, 2023:

To whom and when do the new rules apply?

The rules apply to U.S. publicly traded companies; generally, all of those that are currently subject to the reporting requirements of the Securities Exchange Act of 1934. There are also certain parallel disclosure requirements for foreign private issuers.

The rules become effective 30 days following publication of the adopting release in the Federal Register. Companies must provide the required disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. Regarding incident disclosure, all companies other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days.

Will the rules drive cybersecurity improvements?

Ultimately, the rules are intended to help investors make more informed decisions regarding risk and reward. As with other categories of risk (supply chain, labor, legal, regulatory etc.) the goal is to ensure that investors can clearly see the key risks a company is facing and how its board and management are addressing them.

While the purpose of the new rules is clearly linked to the needs of the investment community, they should also result in improved risk performance for the impacted companies. No one likes to disclose facts that will be perceived as a negative, so companies will be incentivized to produce disclosures that are perceived positively. Disclosure requirements are therefore likely to prompt a reassessment of cybersecurity risk standards, processes, and performance by both boards and management teams. The need to disclose both cyber security incidents and the company’s process for ongoing assessment and management of risk (as well as the board and management responsibilities) is highly likely to encourage more thoughtful attention to this critical aspect of corporate risk management.

Compliance: the letter and the spirit…

The disclosure requirements are prescriptive, and largely self-explanatory. Compliance with the “letter of the law” is clear enough, and the SEC has described what must be disclosed as well as where and when.

“Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats…” [emphasis added].

That said, it seems clear that the spirit of compliance will be achieved when companies are compelled by the rules to disclose the facts about their management of cybersecurity risk and compelled by the market to disclose a robust and improving management of cybersecurity risks. The adoption of processes of assessment, identification, and management of cybersecurity risks worthy of the required disclosure, as well as the appropriate management and board oversight of the same, can only serve to improve actual cyber outcomes for impacted companies.

The intersection of aspiration and action

What can and should companies do? First, they need to familiarize themselves with the new disclosure requirements and position themselves to comply with them.

But next, and perhaps more importantly, companies need to ensure they are comfortable with what they will soon have to disclose.

As with any new disclosure requirement, companies should expect closer scrutiny and engagement from key stakeholders who may be interested in a deeper dialogue around the topic. For some companies, this might be best accomplished through proactive, direct engagement with their top investors around cybersecurity practices in advance of their first disclosure, in order to anticipate and address any concerns they may have.

Impacted companies have an opportunity to improve both the perception and the reality of their cybersecurity risk management practices. Companies that take best advantage of the new rules will gain insight into the cybersecurity risks of their own organizations, their extended supply chains, and their peers – and they will learn how to communicate these risks, and their management of these risks, in ways that will differentiate their organizations and reassure their stakeholders.

How can ISS Corporate Solutions help?

Better measurements generally yield opportunities for more effective management. ISS Corporate Solutions can support your company with key cyber risk assessment and identification capabilities (both for your company and your supply chain) by utilizing the ISS ESG Cyber Risk Score – a concise, empirical, and forward-looking metric that corresponds to the likelihood of a future breach event by assessing how well a company manages and maintains its network security. It is powered by a machine learning model trained on real breach exemplars to understand the mathematical relationship between risk signals and breach outcomes. It is packaged with insightful tools that help companies understand and address cyber risk, including third and fourth-party exposures. Contact us to learn how ISS Corporate Solutions can help you best navigate these new requirements.

For more details, the SEC makes the following items available:

• Final Rule
• Fact Sheet