SEC tells companies to “show their work” on cybersecurity

It is one thing to tell yourself that your company has a mature, comprehensive cybersecurity program. It is another thing to tell that to the world in a public securities filing.

In new rules that come into effect later this year for most public companies (and next year for the rest), the Securities and Exchange Commission (SEC) is telling security professionals, management, and boards of directors: “show your work.” For the first time, the rules require extensive, regular disclosures regarding companies’ cybersecurity programs and material cybersecurity incidents.

Though the new rules may give security professionals a little more fuel for their nightmares, there may be some benefits tucked in there as well.

What do the new rules require?

Starting December 18, 2023 (for most), public companies must make public SEC-mandated disclosures of:

• cybersecurity incidents within four days of determining they are material (and make that materiality determination “without unreasonable delay”);
• processes for assessing, identifying, and managing material cybersecurity risks, including: (1) a description of the company’s cybersecurity risk program; (2) whether the company engages assessors, consultants, auditors, or other third parties in connection with the program; and (3) whether the company has policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of any third-party service providers;
• their board of directors’ oversight of cybersecurity risks; and
• management’s role in assessing and managing material cybersecurity risks

For a more detailed discussion of the rules’ legal particulars, you can find a good resource here.

Why are these rules important?

The new rules represent a significant change in how the SEC addresses cybersecurity maturity for public companies. Previous guidance only highlighted how cybersecurity risks and incidents may lead to reportable events under the securities law; the new rules are the first to mandate specific, regular cybersecurity disclosures. This change puts increased pressure on companies to not only identify incidents, but to also “allow investors to evaluate registrants’ exposure to material cybersecurity risks and incidents as well as registrants’ ability to manage and mitigate those risks,” as the SEC explained in announcing the rules.

Some key takeaways:

• The rules do not require companies to name the specific cybersecurity vendors it uses, but as investors (and regulators) focus more on companies’ cybersecurity maturity they may start looking for disclosures that a company uses broadly-effective solutions like identity and access management, endpoint protection, and managed detection and response (MDR) services to manage risk. And more broadly, these rules further emphasize companies’ need to assess and close any gaps in their cybersecurity control environment.
• Companies should update their incident response plans to ensure they address how they will assess the materiality of any incidents and are prepared to make SEC disclosures within four days of that determination.
• Companies need tools and processes to quickly identify, contain, and assess cybersecurity incidents, given the rules’ very tight deadlines.
• As noted by many commentators, companies should test their incident response plans so they are ready to respond, and can credibly explain that preparedness to investors.
• Management must be prepared to disclose the manner in which they are managing cybersecurity risk, providing additional pressure which may help increase budget for tools and headcount.
• CISOs should be prepared to regularly present to the board of directors on the company’s cybersecurity posture so that the board can satisfy its own obligations in this regard, which can be a useful way to ensure that the CISO has the support and funding to build and maintain a robust program.

What now?

In short, public companies and those hoping/planning to go public have a lot to digest in these new rules. But for security professionals looking to upscale their tools and processes, there has never been a better time to take a good look at gaps and have a strong voice in advocating for fixes.