decoding the SEC's cyber rules; impact assessment

Happenings

Recently, the SEC adopted rules that require registrants to disclose material cybersecurity incidents they experience. Registrants will also be required to annually disclose material information regarding their cybersecurity risk management, strategy, and governance. These were critical elements that were identified by investors to understand and assess the cybersecurity posture of a business to make well informed decisions. 

The primary focus of the rule is disclosure within four days of determining materiality, a process description for assessing, identifying, and managing material cybersecurity risks, and descriptions of management’s role and the board’s oversight of managing risks posed by cybersecurity threats. 

There is good and bad news depending on what cybersecurity evangelist campaign you reside in. The good news is that the new ruling is pretty in line with other regulatory reporting requirements. The bad news is that new ruling is pretty in line with other regulatory reporting requirements.

‍The deets

Public companies will be required to disclose cybersecurity incidents they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. Documentation stating such will be due four business days after a company determines that a cybersecurity incident is material. There is an opportunity for disclosure to be delayed if the USA AG determines that immediate disclosure would pose a substantial risk to national security or public safety. In this event the SEC commissioner would be required to be notified of the determination in writing. 

The new ruling also requires oversight and documentation at the executive and board level. Companies will have to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in addition to material effects or risks from cybersecurity threats and previous cybersecurity incidents. It will also be required to describe the board of director’s oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. This is in line with other SEC disclosure requirements around the disclosure of financial expertise of directors who serve on the audit committee. 

The SEC also defines what constitutes as an incident in this ruling and has adopted a common definition of a cyber security incident as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” 

In March of 2022 the SEC said that it wanted companies to publicly declare one cybersecurity expert on the board of directors and one within management. With recent news it appears they have backed off the requirement for the board and management expert which is an interesting take as cyber executives have not been spared from legal action over data breaches. 

‍SEC vs Crypto

Public crypto companies such as Coinbase, Marathon Holdings, Bitdeer, Block, and MicroStrategy will be required to adhere to the new rules.;

This ruling comes amidst what most would deem a regulatory assault on the crypto industry although the rules target cyber security across all public companies. The SEC does note “ransomware attacks” facilitated by “crypto-asset technology” as one of the reasons driving the new rules. The SEC also indicated that “evidence suggests” that companies are “underreporting cybersecurity risks”. 

‍The TL;DR for crypto companies and banks offering crypto services

The new rules will have little impact on crypto companies and banks who offer crypto asset services as most are already required to report cyber incident information and cyber program information as part of ongoing compliance with federal and state governing bodies. 

Banking organizations are required to notify their primary Federal regulators (FDIC/OCC/Fed) of any computer security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. 

Qualified custodians, that include companies like Coinbase and some banks, are regulated under the New York Department of Financial Services (NYDFS) which requires covered entities to notify NYDFS as promptly as possible and no later than 72 hours from determination that a reportable incident has occurred. 

‍The tea

While increased cyber protections are seen as a positive, the rule focuses solely on disclosures and some executive and board oversight. It does not require companies to adopt specific cybersecurity protections or standards that would help increase the overall security posture of the company, employees, and end users and it does not require experts at the management and board level. Many prescriptive elements from the original proposal were removed, which will allow companies to define their approach as well as adapt specific elements. 

The four day disclosure window was heavily debated during the comment period, and is pretty much in line with existing timelines for public company disclosures about other significant events. It is also closely aligned to banking requirements for breach disclosures. 

The SEC is not requiring expertise at the management or board level but is insisting that expertise be reported to them, but what constitutes such expertise? Speculation indicates the SEC will not approve or deny anyone’s credentials or determine whether or not they meet unspecified requirements leaving it to the market to decide. 

Over time this could result in lower stock prices for companies who have executives with insufficient expertise or in companies reconsidering credentials that were initially approved if other companies produce experts with more impressive credentials. In 2022, Okta, an authentication company used by thousands of organizations suffered a data breach and saw their stock price tumble around 10% as a result. With the CISO role being one of the most difficult to fill and board member cyber experts being few and far between time will tell if competition in cybersecurity roles increases as a result of the ruling. Would you rather hire an expert or train a board member on cybersecurity? 

While additional information on cyber events and threats certainly would not be a bad thing, investors without cyber knowledge and expertise are supposed to assess the cybersecurity posture of a business in order to make well-informed decisions without prescriptive elements and principles to enforce accountability across registrants. These new rules give a small incentive to focus on cybersecurity, but very little to enforce accountability around the matter with the primary focus being on disclosure. 

‍Coming soon

The rules go into effect August 25, 2023 and registered public companies will have to start to disclose information about material cybersecurity incidents and threats using the appropriate reporting channel on December 18, 2023. Descriptions of risk management, strategy, board oversight, and management’s role in managing cyber risk must be disclosed with annual reports for fiscal years ending on or after December 15, 2023. 

x's&o's + 0s&1s

^{Sources: https://www.sec.gov/news/press-release/2023-139}