We continue our focus on cybersecurity compliance today with a return to the SEC’s proposals for expanded disclosure of cybersecurity risk in corporate reports. The public comment period for those proposals closed last week, and compliance officers have a bundle of interesting points to ponder.
The SEC received dozens of comments, and to no surprise feedback was all over the map. Most commenters did support the commission’s basic goal of giving investors a better sense of how companies are handling their risks around cybersecurity; which at least gives the SEC political cover to move ahead with some sort of final regulation. (Compared to, say, the SEC’s proposals for climate change disclosure, which already has legions of people saying that subject is way outside the SEC’s purview.)
That said, commenters also had plenty to say about individual pieces of the SEC’s cybersecurity proposals, and some criticisms were quite valid and cogent. So we could end up seeing a final proposed rule that looks very different from what the agency originally proposed back in March.
As a reminder, the proposed disclosure requirements fall into two categories.
First, companies would need to file a Form 8-K disclosure with the SEC within four days of determining that a material cyber incident had occurred (say, a ransomware attack), describing the nature and severity of the event. That four-day window would start on the day that the company decides the incident is material; not four days from when the incident itself actually happened.
Second, companies would need to disclose their broader cybersecurity risk management practices in their annual reports, reviewing:
- The company’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents.
So what can compliance professionals glean from public comment about those proposals?
Questions Raised by Commenters
The best way to start thinking about public comment might be to identify a few fundamental questions about the SEC proposals themselves. Namely:
- Would compliance with thse SEC proposals drive the desired cybersecurity behavior among corporations?
- Are terms used in the proposals clearly defined, so that everyone would understand what companies are supposed to do?
- Do the proposals strike the correct balance between providing useful information and imposing undue burdens on corporations?
In one form or another, commenters either raised or debated those questions over and over.
For example, the Center for Audit Quality wondered whether new regulatory requirements might not drive better cyber risk management. It pointed to an Ernst & Young survey from 2021 that found only 35 percent of CISOs believed that compliance with security regulations drove better behavior; and less than 20 percent said regulation is an effective way for them to argue for more budget from the board.
The CAQ also urged more specific definitions for terms such as “cybersecurity incident” and “cybersecurity threat” (an especially good point since the people complying with SEC regulations are usually corporate lawyers, who thrive on precision but don’t have strong technology backgrounds). Then again, the CAQ is a voice for the audit industry. One would expect that crowd to want clear, precise definitions.
USTelecom, a trade association for tech firms in the broadband industry, flagged another nettlesome detail in the SEC’s proposals: that companies would need to disclose material cybersecurity events even when law enforcement agencies would prefer to keep an ongoing investigation quiet. Such a disclosure, USTelecom said, “would potentially disrupt public-private partnership relationships with law enforcement… Law enforcement efforts are essential to deterring cybercriminals, and doing so ultimately benefits investors across the digital economy.”
That is a fair point. For example, law enforcement might want more time to hunt down ransomware attackers and claw back ransom payments made in cryptocurrency. Would shareholders really be better off knowing about a breach, if that knowledge meant the chance to retrieve stolen funds was gone for good? To me it seems more an undue burden on the corporation simply for regulation’s sake, and I hope this particular part of the SEC proposal goes away.
Cyber Materiality and More
One issue I flagged in my original post about the SEC proposals was how a company would determine that it had suffered a “material cybersecurity incident.” That’s important because under the SEC proposal, once a company does decide a cyber incident was material, it has four days to file an 8-K disclosure telling investors what happened.
Commenters picked up on that issue, too. Financial Executives International, for example, wrote that sometimes materiality might be readily apparent. At other times, however…
determining the materiality of a cybersecurity incident may be more difficult and require significantly more effort to assess downstream impacts. In these situations, there is an increased risk that judgments made about materiality, particularly judgments based on indicators that correlate with the passage of time (e.g., a sustained decline in sales or increase in costs associated with business interruption) could be second-guessed.
In such cases, FEI wrote, the SEC should trust companies’ “well-reasoned judgment… to the extent they are supportable.”
Microsoft took issue with another section of the SEC proposals that would require disclosure when a series of previously undisclosed cyber incidents “become material in the aggregate.”
Well, what does that mean? Over what period of time — weeks, months, years? The SEC proposal doesn’t say. Microsoft asked for more clarity, although “even if additional clarity were provided, we believe this requirement would present significant challenges for companies and be of limited value to investors.”
We could go on for hours; the SEC cybersecurity proposals touch on all sorts of governance issues, and we’ve only scratched the surface. For risk and compliance professionals in the operational trenches, however, the biggest challenges are still going to be:
- Do we understand exactly what the SEC expects our company to do? Do we understand what the language of the proposed rule means?
- How does the company assess materiality of a cyber event? Who needs to be involved in that discussion, and how do we develop a structured, repeatable process?
- Do we have sufficient forensic capability to analyze an attack and understand what happened?
Think long and hard about those answers, because the smart money is that the SEC will adopt final new cybersecurity disclosure rules soon enough. This train is coming.