Today I want to revisit the SEC’s proposed new rules requiring public companies to disclose more about their cybersecurity risks. Those plans would obligate companies to discuss how the board and senior management address cybersecurity risk at a strategic, enterprise level. What’s that all about?
In a previous post about the SEC proposals, I considered some of the challenges around assessing and disclosing “material cybersecurity incidents.” Those challenges, however, are mostly tactical in nature: your company suffers a specific incident, and senior executives (including compliance and audit leaders) need to decide what to do about it. To a certain extent, that’s an easier hill to climb.
These other SEC proposals are more about the company’s overall governance, and how your governance structures address modern cybersecurity challenges. Who is responsible for what cybersecurity risk management practices? What are those risk management practices, anyway? How do the board and senior management assure that they’re properly briefed on what cybersecurity risks are afoot in your enterprise?
Those are important questions to answer. When the SEC adopts final cybersecurity disclosure rules presumably sometime later this year, the governance requirements could prompt some deep conversations at companies that haven’t yet fully considered how they should address cybersecurity. Compliance and risk officers should understand what the SEC is trying to achieve here, so you’ll be prepared should those deep conversations happen at your enterprise.
What the Proposed Requirements Are
The text of the SEC proposal divides these disclosures into several categories. First would be disclosures about the company’s cybersecurity risk management. Among other things, you would need to disclose whether:
- The company has a cybersecurity risk assessment program and if so, provide a description of such program;
- The company engages assessors, consultants, auditors, or other third parties for that risk assessment program;
- The company has policies and procedures to identify and oversee cybersecurity risks posed any third-party service providers, including whether and how cybersecurity considerations affect your selection of those providers;
- The company has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation.
Second, the company would need to make disclosures about its governance of cybersecurity issues, right in the boardroom. So the disclosures would need to discuss:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its cyber discussions; and
- Whether and how the board or board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.
And third, the company would need to disclose management’s role in assessing cybersecurity risk and implementing necessary policies and procedures. So those disclosures would cover issues such as:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, including the prevention, detection, and remediation of cybersecurity incidents;
- Whether the registrant has a designated chief information security officer, and if so, to whom the CISO reports within organizational chart and the CISO’s relevant expertise; The processes by which such persons or committees are informed about and monitor cybersecurity incidents; and
- Whether and how often management reports to the board of directors or a committee of the board of directors about cybersecurity risk.
That’s a lot of material to ponder, document, and put into the 10-K. To see the bigger picture here, however, we need only focus on one word in the proposed requirements — a word that does more work than anything else in the entire 129 page-document.
Taking Cybersecurity Seriously, or Not?
By including the word “whether,” the SEC is giving companies the option to tell investors that the company has not yet developed a thoughtful approach to managing its cybersecurity risks — except, who wants to be the loser who admits that in the 10-K?
For example, companies would have to disclose whether they have policies and procedures to identify cybersecurity risks posed by third-party service providers. Imagine being the company that tells investors it does not have such procedures, when so many breaches happen via a cloud-based provider your enterprise uses (and usually those breaches are the most serious). You would be admitting a major weakness in your oversight of cybersecurity. Privacy regulators would certainly note that fact if you later suffer a privacy breach, and so would class-action lawyers when the inevitable civil litigation follows.
So by giving companies the option of disclosing that they are not taking certain cybersecurity risk management steps, the SEC is really driving companies toward taking those steps. That’s the goal here: to use the power of disclosure to make boards and senior executives confront cybersecurity risk in a disciplined, systemic way.
Indeed, I can’t help but wonder whether the SEC is pushing companies to treat cybersecurity risks in the same way that companies treat financial reporting risks. That is, financial reporting is a core responsibility of every public company, and the board must assure that financial reporting risks are kept in check. You can’t have reliable financial reporting without some mechanism to govern financial reporting risks.
By the same token, one could argue that cybersecurity is now a core responsibility of every public company: that effective use of IT is so fundamental to modern business, you can’t have reliable operations without some mechanism to govern cyber risks. And investors need some discussion of that in the 10-K, just like they have discussion of accounting policies, controls and procedures, and audit committee expertise.
I appreciate that the comparison only goes so far. In financial reporting, boards need to make qualitative disclosures under Regulation S-K to help assure that quantitative disclosures (financial data) reported under Regulation S-X are reliable. Cybersecurity doesn’t have that second half of the equation; there are no quantitative disclosures about data breaches or cloud-based providers.
Fundamentally, however, we can’t deny the reality that in our technology-dependent world, cybersecurity risk and operational risk have fused into one thing. Banking regulators already pretty much concede this point, because when they talk about threats to operational risk management, it’s a discussion of cybersecurity threats all the way down. Nobody should be surprised that the SEC is slouching toward this conclusion, too.
So what will companies need to do here? Watch the SEC’s proposed regulations carefully, and prepare for probing conversations with your board, CISO, legal team, and others in your enterprise once final rules are adopted.
You’ll likely need to have long talks about who is in charge of which cyber risk management duties, and what policies and procedures you should put in place. Then you’ll need to document all that work for inclusion into the 10-K. Perhaps in another post we can talk about the specifics of that effort, since it could be a big lift for some companies.
Then again, with the way technology and risk are going — most companies will need to put that structure and discipline in place anway, SEC requirements or not.