Are You Ready For Enhanced Cybersecurity SEC Reporting Requirements?
On March 9, 2022, The Securities and Exchange Commission (“SEC”) proposed amendments to enhance disclosures regarding cybersecurity risk management and incident reporting by public companies—emphasizing the increasing importance of cybersecurity in the realm of corporate governance as cyber-attacks become more frequent and sophisticated. Specifically, these new rules are designed to standardize and fast-track the information companies disclose around cybersecurity risks to investors, with the goal of providing an increased level of transparency.
“We believe investors would benefit from more timely and consistent disclosure about material cybersecurity incidents, because of the potential impact that such incidents can have on the financial performance or position of a registrant,” wrote the SEC in the proposed rules.
“We also believe that investors would benefit from greater availability and comparability of disclosure by public companies across industries regarding their cybersecurity risk management, strategy, and governance practices to better assess whether and how companies are managing cybersecurity risks. The proposal reflects these policy goals.”
Understanding the Proposed Amendments
Once enacted, these proposed rules will bring significant changes for public companies within their cybersecurity, risk management and corporate governance programs. At a high level, the new proposed rules would require:
- Reporting on cybersecurity incidents within four business days after it is determined that a material cybersecurity incident has occurred
- Regular disclosures around policies that identify and manage cybersecurity risks
- Disclosure about the Board of Directors’ cybersecurity expertise and leadership’s role in implementing cybersecurity governance practices
- Updates about prior material cybersecurity incidents and their related remediation efforts
- The reporting of cybersecurity disclosures via Inline eXtensible Business Reporting Language (Inline XBRL)
Enhanced Reporting Requirements Around Cybersecurity Breaches
If a cybersecurity incident occurs, organizations will need to comply with more stringent and timely reporting requirements to meet these new obligations. Examples of the information that will likely be needed include:
- The type of data that was stolen, accessed, and/or used for unauthorized purposes
- What impact the incident may have had on operations
- When the incident was discovered and what the investigation and remediation process was post-incident
- Impacts on current operations and/or relevant third parties
Additionally, the proposed amendments outline required disclosures regarding the experience that an organization’s Board of Directors has in the cybersecurity space—defining certain positions and types of specific background the SEC would like to see in these important leadership roles. Ideal areas of expertise include: privacy, governance, risk management, control evaluations, security assessments, architecture, and incident handling.
How Can You Prepare?
While the SEC has long required companies to disclose information regarding cybersecurity incidents, once enacted, these proposals will usher in a new era of reporting obligations. While the timing and final scope of the updated rules is still to be determined, it’s clear that change is coming for public companies across all sectors, and that it’s best to begin preparations now.
Companies will need to understand what the proposed rules are going to mean for them in the way of requirements and evaluate and compare those requirements against their current maturity levels and resources.
There are several places to start, including:
- Working to increase the cybersecurity expertise at the board level
- Building (or fine-tuning) your formal incident response policy so employees have a clear framework for detecting and reporting cybersecurity incidents within the updated timeline requirements
- Creating a documented process for tracking and reporting on incident remediation efforts
- Revisiting disclosure procedures to be sure they are in alignment with the new rules
- Establishing clear risk management procedures and working to include risks around cybersecurity within your organization’s overall risk management framework
How We Can Help
Cherry Bekaert’s Information Assurance & Cybersecurity practice can help provide the guidance and support you need to navigate these upcoming requirements, as well as protecting your organization from cyber threats. It starts with gaining a clear understanding of what the new rules are, what they mean for you, and how you can achieve compliance.
Every organization is different, but likely the best place to start is with a detailed evaluation of the maturity of your cyber governance program and your cyber risk assessment process, as well as a review of your security architecture, third-party risk management processes, and your incident response program.
Our professionals understand your business and the risks you are facing. Contact us today to learn more about how we can help. Learn more about Cherry Bekaert’s Cybersecurity Services here and stay tuned for future updates on these new rules.