SEC Proposes Big Changes For Cybersecurity Risk Management

I think the financial services industry (FSI) is on the brink of one of the most impactful cybersecurity developments ever. No, it’s not some new ransomware or distributed denial-of-service (DDOS) attack or zero-day exploit. It’s new regulatory changes. Before you yawn and stop reading, please allow me to explain.

The new rules coming from the U.S. Securities and Exchange Commission (SEC) are going to have a huge effect on financial services organizations. And once adopted, these new regulations will have the potential for a seismic impact on cybersecurity culture.

SEC Proposal Requirements

Full Cybersecurity Transparency and Accountability

Because financial services are prime targets for cybercriminal attacks, the new SEC proposal will require full cybersecurity transparency and accountability at the highest level of corporate leadership—including the boards of directors—for all public companies.

By proposing the new rules, the SEC wants “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (“registrants”) that are subject to the reporting requirements of the Securities Exchange Act of 1934.”

Company Disclosures: Cybersecurity Policies, Procedures, & Incidents

In summary, the proposal will require companies to disclose material cybersecurity incidents on their Form 8-K. They will also need to disclose the company’s policies and procedures to manage cybersecurity risks, including management’s role in implementing them. Additionally, there must be a disclosure of the company’s board of directors’ mechanism for oversight of cybersecurity risk and any board member’s cybersecurity expertise.

A Deep Dive into the SEC's Proposal

On March 23, 2022, the SEC proposed a rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. This would require reporting of material cybersecurity events, periodic disclosure of a company’s cybersecurity policies and procedures, and board of directors’ oversight of cybersecurity risk. The proposed rule closed for comments on May 9, 2022, and is now awaiting further guidance.

After these SEC rules are officially implemented, once a company determines they have experienced a material cybersecurity incident, it must disclose it within four business days. The disclosure process will entail amending their Form 8-K—the report that companies must file with the SEC to announce major events that shareholders need to be informed about. The new proposal also calls for reporting a series of previously undisclosed individual cybersecurity incidents that have become material incidents in the aggregate.

Pulling Back the Curtain on the SEC's Proposal

What is even more impactful than the incident reporting part of the SEC’s proposal is the new plan for risk management, strategy, and governance disclosure. This piece of the proposal pulls back the curtain on a public company’s cybersecurity risk management policies and procedures.

The disclosure of the board of directors’ oversight of cybersecurity risk will be a requirement.

Also, executive management’s role in assessing cybersecurity risk and implementing the firm’s policies and procedures must be disclosed publicly. I believe this process is basically equivalent to putting an organization’s “report card” on the internet for all to see and critique.

The new rule will compel companies to describe their policies and procedures for the identification and management of risks from cybersecurity threats. If there are none, that will be noted and could lead to serious repercussions, including fines and penalties by the SEC for non-compliance. The proposed regulations will also require companies to indicate if cybersecurity is part of their business strategy, financial planning, and capital allocation.

Finally, the new rule stipulates that if any board members have expertise in cybersecurity, this should be disclosed in the annual report and certain proxy statements. Cybersecurity expertise at the board level is critical and should include both internal and external subject matter experts (SMEs). Internal SMEs should provide institutional knowledge, while external SMEs should add areas of specialized knowledge.

Cybersecurity Risk Management Strategy: Humans

Humans are the weakest link in cybersecurity. The only way to address this is to make your employees part of the solution, not the problem. At the top of the food chain in most companies is the board of directors, this is where attention to the new rules must start. The fusion of trained and cyber-aware employees with a strong cybersecurity strategy has to include continuing education and additional modern solutions.

The board of directors should not be involved in the day-to-day operations, but cybersecurity is now one of the key fiduciary duties of directors and officers. The board must be satisfied that cybersecurity policies and procedures are functioning as directed. And leaderships need to create and foster a culture of risk-aware decision-making throughout their entire organizations.

A Trend in the Financial Services Industry

The response to cybercriminal forays on financial organizations is driving authorities worldwide to push out laws and regulations—like the European Union’s DORA (Digital Operations Resiliency ACT)—that are requiring cybersecurity proficiency by all the parties that deal with finances and other FSI enterprises.

The financial services industry is critical to everyone, whether we all know it or not. Therefore, it must be resilient and protected. Changes from the SEC and other government agencies around the globe in their regulation efforts could make the digital world safer for consumers and investors.

To learn more, tune in to the Cyber Resilience in Financial Services Podcast.