Highlights from the U.S. Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Have heard about the Proposed SEC Cybersecurity rule? It’s anticipated to be final in April 2023 and that’s less than a year away. That’s not a lot of time for a public company to prepare for an unprecedented amount of Cybersecurity disclosures. In support of this rule, you will need to:
Develop the required foundational and detailed elements for a fully functioning risk-based security program
Pivot your technically founded Cybersecurity Program into a Strategic Board-Level Risk-Driven Program
Train your security team on how to be business professionals including reading and writing SEC forms for public disclosure
Create publicly facing documentation regarding your Cybersecurity program (this goes against the Cybersecurity industry-standard need to know nature)
Reeducate your staff on how to work under Board directions including meeting their demands
Find a Cybersecurity Business Trained professional to be on the Board (there are limited business trained Cybersecurity professionals available)
Chief Information Security Officers and Directors of Security need to start preparing now for the upcoming rule. Without early preparation bridging the gaps from technically driven security programs to strategic board-level risk driven approaches, many organizations will be left unprepared for the vital business-driven approaches coming soon. Last thing anyone in the Cybersecurity industry wants to see is a 25%+ drop in stock prices and company valuations because of weak or noncompliant Cybersecurity programs.
You need to get started now and build a Cybersecurity Board-Level Risk-Driven Strategy that offers your company a “snapshot” of your security program effectiveness and maturity. This snapshot will empower you to make informed decisions about your risk-based approach and corollary budget requirements. For the average CISO, this can take 6-9 months+ to transition to this new model. A Cybersecurity Board-Level Risk-Driven Strategy can help avoid the unnecessary investment of time and resources by:
Benchmark areas of the program that are operating well and those areas that are not enabling you to focus greater attention to the areas of need while documenting “steady-state” mode for well-tuned operations
Analyzing current maturity versus desired maturity levels
Measure operational impact balance between people, process, and technology
Empowering you to establish the appropriate roadmap and budget to support and defend the chosen direction
Graphical depiction of risk versus current and desired budget levels to maximize impact to the largest audience
Want to read the proposed ruling yourself? Here are links to the proposed rule:
I know, it’s 129 pages of light reading… Don’t worry we have pulled out some of the most important pieces for you so you can get right to the important parts:
Proposed SEC Rule Overview
The U.S. Securities and Exchange Commission (“Commission”) is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The following is a summary of the proposed rule:
Require current reporting about material cybersecurity incidents on Form 8-K
Require periodic disclosures regarding, among other things
A registrant’s policies and procedures to identify and manage cybersecurity risks
Management’s role in implementing cybersecurity policies and procedures
Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
Updates about previously reported material cybersecurity incidents
Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL)
Additional details about the proposed rule are detailed below:
Incident Disclosure Proposed Amendments
The SEC proposed to
Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident
Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate
Amend Form 6-K to add “cybersecurity incidents” as a reporting topic
Ongoing Investigations Regarding Cybersecurity Incidents Delays
Proposed Item 1.05 would not provide for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. As the Commission stated in the 2018 Interpretive Release, while an ongoing investigation might affect the specifics of the registrant’s disclosure, “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Additionally, any such delay provision could undermine the purpose of proposed Item 1.05 of providing timely and consistent disclosure of cybersecurity incidents given that investigations and resolutions of cybersecurity incidents may occur over an extended period of time and may vary widely in timing and scope. At the same time, we recognize that a delay in reporting may facilitate law enforcement investigations aimed at apprehending the perpetrators of the cybersecurity incident and preventing future cybersecurity incidents. On balance, it is our current view that the importance of timely disclosure of cybersecurity incidents for investors would justify not providing for a reporting delay.
Risk Management, Strategy, and Governance Disclosure
In addition to incident reporting, the SEC proposed to require enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy, and governance. Specifically, the proposal would:
Add Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to
Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation
Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies
Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise
Cybersecurity Technical Disclosure
Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:
The registrant has a cybersecurity risk assessment program and if so, provide a description of such a program
The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program
The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers
The registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents
The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident
Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies
Cybersecurity-related risks and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how
Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how
Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies.
Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members
Whether the registrant has a designated chief information security officer or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons
The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents
Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk
Cybersecurity Board Member
Amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s) and provide such detail as necessary to fully describe the nature of the expertise.
Proposed Item 407(j) would not define what constitutes “cybersecurity expertise,” given that such expertise may cover different experiences, skills, and tasks. Proposed Item 407(j)(1)(ii) does, however, include the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:
Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner
Whether the director has obtained certification or a degree in cybersecurity
Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture, and engineering, security operations, incident handling, or business continuity planning
Cybersecurity Board Member Limitation of Liability
Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act (15 U.S.C. 77k), as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification. This provision should alleviate such concerns for cybersecurity experts considering board service. Conversely, we do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members.
Periodic Disclosure by Foreign Private Issuers
Amend Form 20-F to add Item 16J that would require an FPI to include in its annual report on Form 20-F the same type of disclosure that we propose in Items 106 and 407(j) of Regulation S-K and that would be required in periodic reports filed by domestic registrants. One difference is that while domestic registrants would be required to include the proposed Item 407(j) disclosure about board expertise in both their annual reports and proxy or information statements, FPIs are not subject to Commission rules for proxy or information statement filings and thus, would only be required to include this disclosure in their annual reports.
Ready to Start Preparing for the SEC Cybersecurity Rule
Don’t worry, you are not alone. Emagined Security’s CISOs and teams can support your organization in preparing to meet Board-Level expectations and demands in support of the Commission’s rules, such as:
Cybersecurity Strategy: Emagined Security can work with your organization’s management to gather an understanding of corporate initiatives, security architecture, security culture, and security risk tolerance in an effort to develop a plan.
Cybersecurity Program Creation: Emagined Security can help develop a Security Program designed to better understand the current status and security of your assets, networks, process, and programs with a Business Risk and Budget focus.
Cybersecurity Risk Budget Assessment Refinements & Training: Upon completion of the draft presentation, Emagined Security can work with your organization to help create refinements to your presentation including working on several risk scenarios.
What-If Scenario Analysis
Periodic Report Updates
Remote Risk Scenario Refinements
Remote Presentation Coaching
Remote Presentation Attendance
In-Person Presentation Presenter
Security Project Management Program: Emagined Security can provide personnel to assist staff with the creation, build, and operation of the security project management program.
Incident Response Management: Emagined Security can perform Incident Response Management if your organization experiences a successful attack.
Security, Governance & Compliance Strategy Sessions: Emagined Security can conduct support strategy sessions to provide ongoing guidance on areas that your organization should focus on improvements.
Security Documentation Reviews: Emagined Security can evaluate existing policies and make high-level recommendations to simplify and standardize current documentation.
Security Architecture Design: Emagined Security can assist your organization’s staff with the security architecture design and provide direction for implementation and operations.
Risk Management: Emagined Security can evaluate current security and compliance posture to determine where the organization's risks are High / Medium / Low.
Board-Level Response / Commission Form Preparation: Emagined Security can provide personnel to assist staff with the preparation for these upcoming Board-Level compliance status requests and filling out SEC forms (e.g., Form 8-K, 20-F). EMAGINED will help develop suggested responses for status requests considering current compliance posture and planned compliance activities/enhancements (e.g., POAMs). These responses will be created to present the current compliance posture and planned compliance activities/enhancements and incident reports in the best light possible.
Security Program Control Validation: Emagined Security can perform additional validation on the interview provided information to validate the assessment results and better understand the maturity of each control. Using the data acquired and evidence gathering, each control will be assessed to determine if they are Fully Implemented, Partially Implemented, or Not Implemented. Additionally, basic comments and recommendations will be made. Based on the data gathered, Emagined Security will review the current control maturity for each of the key controls. Short follow-up interviews may be used to reconfirm the facts or implications of the observed maturity of key controls.
Security Implementation Support: Emagined Security can provide personnel to assist staff with the installation of security products.
Security Remediation / Implementation Support: Emagined Security can provide personnel to assist staff with the remediation of vulnerability findings.
Customer, Regulator, and Auditor Support: Emagined Security can help prepare for customer, regulatory, and auditor meetings. In supporting the preparation, Emagined Security will provide direction on how to meet the regulatory requirements. Emagined Security can also provide advice on if a compensating control is adequate to meet audit standards.
Security & Compliance Analytics / Metrics: Emagined Security can create a Security Analytics / Metrics program using a structured methodology to ensure that all needs are identified and met. Each report type will be designed to support a business need intended for the appropriate audience:
Business Line Management
Technical Owners (as appropriate)
Cybersecurity is what we do. Reach out to Emagined Security and we can start working with you right away in preparing for the upcoming U.S. Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. Protect your Company and its stock value by being prepared for the upcoming SEC Cybersecurity Rule.