On this episode of the Risk & Accounting Advisory podcast, our guests cover the latest on the proposed rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.
We begin discussing the everchanging threat landscape and its impact on the SEC’s proposed rule change, which was released on March 9, 2022. Our Cybersecurity and SEC compliance professionals also covered the background and history on the proposed rule change as it relates to SOX Compliance, and what exactly the proposed amendment means, and how proposed regulations may impact Management and a Company’s Board.
Finally, the podcast covers the important items of how to get ready or be ready with regards to compliance, with a well-designed cyber assessment and generally, what this proposed rule means for companies preparing for SOX compliance or for those companies that have complied for years.
Now is the time to prepare!
View All Risk & Cybersecurity Podcasts
NEIL BEGAN: Hello and welcome to the Cherry Bekaert Risk and Accounting Advisory Podcast. I'm Neil Began, leader of the firm's Risk Advisory Practice, and with me today are my esteemed colleagues: Steve Ursillo, firm leader of our Information Assurance and Cybersecurity practice; Gareth Montague-Smith, managing director; and Peyton Black, director who helped lead our Risk Advisory SEC practice.
NEIL BEGAN: For today's podcast, we will dive into the proposed rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934.
NEIL BEGAN: First, we will start with Steve Ursillo. Steve is a little under the weather, but this issue is timely, so we thank him for joining us. Steve, how does the changing threat landscape impact this recent proposed rule change?
STEVE URSILLO: Thank you, Neil. Cyberattacks are continuing to rise. This trend, coupled with COVID and international conflict, is adding economic uncertainty for many business owners and investors.
STEVE URSILLO: Ransomware, business email compromise, corporate account takeovers, and distributed denial-of-service attacks are prevalent. Adversaries continue to find new ways to monetize data, commit financial fraud, and disrupt service-level commitments.
STEVE URSILLO: There has been inconsistent reporting of material breaches to the SEC compared with other outlets such as the media, regulatory filings, or annual reports. In some cases, incidents are not reported to the SEC at all.
STEVE URSILLO: To increase transparency for investors and financial stakeholders, the SEC introduced this proposal in March to standardize reporting and disclosure of material cyber incidents. The rule would require registrants to provide more standardized reporting of material cyber incidents and to disclose cybersecurity risk management and practices for investors.
NEIL BEGAN: Thanks, Steve. Peyton, can you unpack the background and history of the proposed rule change as it relates to SOX compliance?
PEYTON BLACK: Sure. In 2011 the SEC issued interpretive guidance on how existing rules should be interpreted in connection with cybersecurity threats and incidents. In 2018 the SEC issued additional guidance to reinforce and expand on the 2011 guidance.
PEYTON BLACK: That interpretive guidance discussed the impact of cybersecurity risks and incidents on disclosure requirements. If a company determines disclosure is necessary, it should include it in places such as the risk factors, the MD&A section, legal proceedings, and potentially the financial statements.
PEYTON BLACK: Those disclosures have been inconsistent, so the SEC determined there is a need for consistent, comparable, and decision-useful disclosures. The proposed rule creates new requirements companies must build into their system of internal control, particularly around material cybersecurity incidents.
PEYTON BLACK: New disclosures would include updates to prior cybersecurity incidents and disclosure of cybersecurity monitoring and risk management policies and procedures, management's roles, and cybersecurity governance, among other requirements.
NEIL BEGAN: Steve, what does the proposed amendment mean in practical terms for organizations?
STEVE URSILLO: The amendment builds on existing guidance and would require organizations to institute best-practice policies and procedures related to cyber governance, risk management, and incident response.
STEVE URSILLO: Organizations will need to better communicate their program maturity to stakeholders and to fulfill required disclosures of material cyber events. The proposal includes a potential four-business-day notification deadline for reporting material cybersecurity incidents.
STEVE URSILLO: It also requires mandatory disclosures regarding board oversight of cybersecurity risk, individual board member cybersecurity expertise, and the role of management in addressing cyber risk. These disclosures are expected to be included in Form 10-K and Form 10-Q filings and, where relevant, in Form 8-K filings for unscheduled material events.
STEVE URSILLO: If an incident is determined to be material, the proposed rule would require reporting within four business days of that determination. Incident response protocols—investigation, root-cause analysis, identification of affected systems and data, and impact assessment—take time, and the four-day clock starts when the organization determines the incident is material to its reporting.
STEVE URSILLO: The Form 8-K is expected to include when the incident was discovered, whether it is ongoing, a brief description of the nature and scope of the incident, whether data was stolen, altered, accessed, or used for any unauthorized purpose, the effect on operations or service-level commitments, and whether the company has remediated or is in remediation.
STEVE URSILLO: Prescribing specific reporting criteria forces organizations to ensure they have the right people, processes, and technology to capture and timely disclose the relevant information. Organizations need to assess whether they are actively detecting incidents and determining materiality.
STEVE URSILLO: If an organization lacks minimum incident response capabilities, it will be difficult to populate the required information within the four-day window. Similarly, disclosure requirements about board experience will force organizations to reevaluate board expertise if current members lack cybersecurity experience.
NEIL BEGAN: I should note that Steve is a nationally recognized cybersecurity expert and an active CPA, which brings both technical and financial perspectives. Gareth, how do the proposed regulations impact management and the board?
GARETH MONTAGUE-SMITH: At the board level, the proposal would require disclosure of oversight of cybersecurity risks and whether the board considers cyber risk as part of overall business strategy, risk management, and financial oversight.
GARETH MONTAGUE-SMITH: The proposal would require disclosure of who is responsible for oversight and how the board is informed and how often cybersecurity risks are discussed. It would also require disclosure in annual reports and certain proxy filings of any board member who has cybersecurity expertise, including names and relevant experience.
GARETH MONTAGUE-SMITH: For management, the regulations would require a description of management's role around cybersecurity risks, whether certain positions or committees are responsible for measuring and managing those risks, and the relevant expertise of those positions.
GARETH MONTAGUE-SMITH: The description must address whether the registrant has designated a CISO or similar position, who that person reports to, and that person's relevant expertise. It must also describe the process by which persons or committees are informed about and monitor, mitigate, and detect cybersecurity incidents, and how frequently reporting to the board occurs.
GARETH MONTAGUE-SMITH: Overall, these are new but prescriptive requirements impacting both people and processes.
NEIL BEGAN: Steve, when companies prepare for potential finalization of this rule, what should they be doing to get ready with cyber assessments?
STEVE URSILLO: The SEC requirements are currently proposed, but they reflect best practices many organizations already should have in place. Organizations should not wait for the final rule; they should begin aligning their cyber programs to these expectations now.
STEVE URSILLO: Start with a cyber governance program assessment against one or more frameworks. ISO 27001 is a common framework. Industry-specific frameworks also matter: for defense contractors, NIST SP 800-171 or the Cybersecurity Maturity Model; for healthcare, HIPAA security and breach notification requirements.
STEVE URSILLO: Perform a comprehensive cyber risk assessment to determine higher residual risks and develop a strategy. Evaluate the incident response program for completeness and maturity, ensuring policies and procedures prescribe repeatable, formal methodologies.
STEVE URSILLO: Implement vulnerability management, including penetration testing, and deploy threat detection and hunting capabilities to identify incidents. Ensure incident investigations capture the information needed for reporting under the proposed rule.
STEVE URSILLO: Evaluate third-party and supply chain risk management programs, given the prevalence of supply chain attacks. Finally, prioritize user awareness training and threat intelligence sharing across the organization.
STEVE URSILLO: Overall, start now; these capabilities take time to mature, and you can backfill as the final rule is issued.
NEIL BEGAN: Peyton, for companies at different stages of SOX compliance—preparing for it, in a 404(a) readiness year, or subject to 404(b) with external audit—are there different expectations?
PEYTON BLACK: Companies in their readiness phase must build cybersecurity considerations into their SOX readiness process. Historically, cybersecurity controls were not required under SOX, so both new public companies and long-time filers will need to expand existing controls to include cyber considerations.
PEYTON BLACK: For example, if a company lacks a cyber risk program or cybersecurity policy, it needs one now. Determine how you communicate cyber responsibilities to employees, consultants, and vendors, and embed cyber into existing controls such as codes of conduct, vendor questionnaires, and IT general controls.
PEYTON BLACK: Perform entity-wide risk assessments that include cyber, and incorporate cyber into controls over Form 10-K and Form 10-Q filing obligations. The board and audit committees are already discussing cybersecurity, so embed cyber into your control environment and testing.
PEYTON BLACK: The rule is not final yet, but it is likely to include many elements we discussed, so getting in front of this is important for readiness and compliance.
NEIL BEGAN: I also want to thank Steve, Gareth, and Peyton for joining me today. Comments on the proposed rule are due on or before May 9th. We expect further SEC activity in the next 60 days. Even if the final amendment varies from the current proposal, the SEC is serious about cybersecurity risk disclosures, and companies should take steps now to prepare.
NEIL BEGAN: For more information on this topic or how your company can approach a cybersecurity gap assessment and response program, visit us at cbh.com. Please like, share, and subscribe to the Risk and Accounting Advisory Podcast and other Cherry Bekaert podcasts. Thanks for listening.
