SEC’s New Rules to Transform Corporate Boards’ Cybersecurity Approach
Key Points
- SEC plans to introduce new regulations to improve the markets and finalize several proposals previously announced as part of its regulatory agenda update.
- SEC voted to introduce new regulations to mitigate cybersecurity risks for registered investment advisers and investment companies on February 9, 2022.
- The SEC is expected to finalize the proposed Cybersecurity Rule 206(4)-9 for investment advisers and private funds in April 2023.
- The proposed regulation aims to elevate the standard of cybersecurity across industries and ensure that companies are better prepared to respond to any cybersecurity threats.
The SEC will continue to have a full workload in 2023, as it plans to introduce new regulations to improve the markets and finalize several proposals that were previously announced in recent years, as stated in its regulatory agenda update.
On February 9, 2022, the U.S. Securities and Exchange Commission (SEC) took steps to mitigate cybersecurity risks for registered investment advisers and investment companies by voting to introduce new regulations. In addition, the SEC also proposed amendments to specific rules concerning disclosures by advisers and funds under the Investment Advisers Act of 1940 and the Investment Company Act of 1940.
It is anticipated that the U.S. Securities and Exchange Commission (SEC) will finalize the proposed Cybersecurity Rule 206(4)-9 for investment advisers and private funds in April 2023. The new regulation aims to establish a more comprehensive framework to address cybersecurity risks for investment advisers and funds, including their capability to effectively respond to and recover from a cyber incident, thus enhancing investors’ trust in the security of their investments.
SEC Strengthens Cybersecurity Standards in 2023
The draft regulation is set to revolutionize how companies approach cybersecurity by introducing a series of requirements. These requirements include a mandatory incident reporting requirement that would require companies to report any security breach that could have a material impact on investor protection within 48 hours, as well as additional measures to ensure that companies are taking proactive steps to protect their networks and data.
The draft rule also calls for annual risk assessments to be carried out, allowing companies to stay ahead of emerging threats and proactively manage their cybersecurity risks. Another key aspect of the proposed regulation is the requirement for firms to disclose cyber risks and incidents to investors. This level of transparency would give investors a better understanding of a company’s security posture and allow them to make more informed investment decisions.
Finally, the draft rule includes recordkeeping requirements, ensuring that companies maintain accurate and detailed records of their cybersecurity efforts. This would provide a clear and measurable record of a company’s efforts to protect sensitive data and allow for effective audits and assessments of the company’s cybersecurity program.
Revolutionizing Cybersecurity: Groundbreaking Requirements for Organizations
The proposed rules reflect the SEC’s increasing focus on cybersecurity and its efforts to impose stricter requirements on public businesses and their boards of directors than any other federal agency. A key new requirement under the proposed rules is for the Board of Directors of public companies to oversee and actively participate in evaluating, assessing, and implementing cybersecurity policies and procedures.
There have been many reports that when it comes to reporting cybersecurity information to the Board of Directors, the traditional approach tends to be filled with technical terms that are not practical, not in line with the business profile, and not easily comprehensible for the board. It has also been pointed out that the current cybersecurity ecosystem tends to focus excessively on technical mitigation measures, neglecting to consider the broader business, operational, and financial aspects. This can lead to a lack of understanding of the potential impact of cyber incidents and inadequate preparation for them.
If the SEC adopts the proposed rules, companies will be required to:
- Report any high-impact cybersecurity incidents to the SEC within four days and any previously classified “low-impact” incidents that, combined with others, become “high-impact”.
- Include updates on previous cybersecurity events in regular SEC filings and explain the organization’s cybersecurity risk management system and the Board’s role in overseeing and implementing it.
It has not been uncommon for CISOs to implement various measures and tools without a clear strategy or understanding of their effectiveness. This often results in a duplication of efforts and added complexity rather than achieving the desired outcome. In the future, we will see a shift towards evaluating the effectiveness of cybersecurity controls and investments to mitigate financial losses rather than just implementing them without a clear strategy or understanding of their effectiveness.
SEC Chair Gary Gensler stated that these proposed rules ensure that investors have enough information to evaluate a company’s cybersecurity practices and incident reporting. He also said that as cybersecurity is an emerging risk that public companies increasingly have to deal with, requiring this information to ensure uniformity, comparability, and applicability would benefit both companies and investors.
The Impact of the SEC’s New Rules
Board members must understand that their roles now exceed oversight; strong cybersecurity portfolios are the new standard. Simply being aware of new security measures or the outcome of phishing tests is no longer adequate. Cybersecurity must be considered a top priority, and board members must assume that cyberattacks are possible. Their oversight responsibility should be to ensure that security managers have established comprehensive plans for responding and recovering in the event of an attack.
Given that it is impossible to be completely protected from every attack, the most effective strategy is to ensure that the organization can recover with little to no damage in terms of operations, finances, and reputation. In line with this discussion, the standards introduced by the SEC will require companies to establish and maintain reasonable cyber security practices and disclose them in public documents. In addition, the SEC will need to be apprised of how senior leadership effectively oversees cybersecurity programs, plus any and all subsequent incident reports.
The new regulations are more targeted and intricate than their predecessors, though they will remain compliant with previous guidance and the outcomes of earlier SEC enforcement cases. The details of these regulations include a clear description of incident reports’ content, structure, and timely periodic disclosures. Finally, companies should document their cybersecurity plans and risk management strategies for the SEC’s review. These steps and procedures will provide a clearer understanding of the security measures that companies have in place. In turn, this should help to ensure the safety of the organization and its stakeholders.
Preparing for Compliance with the New SEC Cybersecurity Regulations
To ensure compliance with the SEC’s new regulations and effective oversight of cybersecurity programs by the Board, it is essential to do the following:
Understand the New Regulations
The first step in preparing to comply with the new SEC cybersecurity regulations is understanding the requirements. Familiarize yourself with the new regulations, the specific requirements, and the potential impact on your organization. This will help you identify gaps in your current cybersecurity program and determine what steps need to be taken to comply with the new regulations.
Assess Your Current Cybersecurity Program
Conduct a thorough assessment of your organization’s current cybersecurity program. This assessment should include examining your current policies, procedures, and controls and evaluating the effectiveness of your incident response and recovery plans. Identify any gaps or vulnerabilities in your cybersecurity program and develop a plan to address them.
Involve the Board of Directors
The new regulations require that the Board of Directors be involved in the oversight of cybersecurity programs. To comply with this requirement, it is essential to ensure that the Board is informed about the new regulations and their impact on the organization. Provide the Board with regular updates on the status of your cybersecurity program and the steps being taken to comply with the new regulations.
Develop a Comprehensive Strategy for Reporting Cybersecurity Incidents
The new regulations require that companies submit incident reports to the SEC within a specified timeframe. Develop a comprehensive strategy to ensure that you can report incidents promptly and accurately. This should include developing procedures for collecting and analyzing data about any security incidents and a plan for regularly reviewing the reports to ensure that they are complete and accurate.
Review and Update Policies and Procedures
Review and update your organization’s cybersecurity policies and procedures to comply with the new regulations. This includes updating incident response and recovery plans, as well as any other policies and procedures related to cybersecurity. Establish a process for regularly monitoring and testing your policies and procedures to ensure they are up-to-date and effective. You must also ensure that your staff is properly trained on the new policies and procedures.
Determine the Significance of “Material” to Your Organization Under SEC Regulations
The Securities and Exchange Commission (SEC) requires that companies disclose any “material” cybersecurity incidents, but the definition of materiality is vague. To comply with this requirement, it is necessary to determine what constitutes a material incident for your organization. Establishing criteria and thresholds to define materiality can help you better identify when an incident is significant enough to report to the SEC.
How Can We Help?
We understand the challenges associated with understanding, implementing, and complying with the new SEC cybersecurity regulations. Our team can help you develop a comprehensive strategy for compliance with the new regulations. We can assist you in assessing your current cybersecurity program, updating policies and procedures, and developing a plan to report incidents. With our expertise and guidance, you can feel confident in your ability to meet the requirements set forth by the SEC and protect your organization from cyber threats