Forthcoming SEC rules will trigger ‘tectonic shift’ in how corporate boards treat cybersecurity

The US Securities and Exchange Commission (SEC) will soon compel corporate boards to take cybersecurity seriously, whether they want to or not.

Under rules first proposed in 2022 but expected to be finalized as soon as April 2023, publicly traded companies that determine a cyber incident has become “material”—meaning it could have a significant impact on the business—must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cybersecurity incidents has become material in the aggregate.”

The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cybersecurity and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk.

Chris Hetner, former senior cybersecurity adviser to the chair of the SEC and senior cyber risk adviser to the National Association of Corporate Directors, told IT Brew that the rules are designed to compel boards to start addressing cybersecurity in terms of business value. Senior IT roles like CISO, he said, would see both expanded importance in contextualizing the possible impact of breaches and scrutiny of how they are working to minimize risk.

“Traditional cybersecurity reporting into the boardroom by the CISO has been deep[ly] steeped in technical jargon that is not actionable, not aligned to the business profile, and not understood by the board of directors,” Hetner said. “The problem we have with the current cybersecurity ecosystem is that it’s very focused on technical mitigation measures and does not contemplate these business, operational, [or] financial factors.”

Often “CISOs just throw spaghetti at the wall, and deploy resources and tooling,” Hetner added. “In many cases, it’s duplicative in nature, and creates a lot of complexity. Instead, what we’re going to see is how effective those cybersecurity controls and investments are made in order to mitigate financial losses. That is going to be a tectonic shift.”

Another impact will be that businesses that play fast and loose with the new disclosure requirements could find themselves at higher risk of falling in hot water with the SEC, which has been warning for years that a failure to take cyber risks seriously could result in enforcement action. While company’s boards have elevated the importance of cyber risk in recent years, the Washington Post has described the actual rates at which they disclose cyber risks to investors as “terrible,” and the rates at which they disclose incidents is also low.

“Shareholders as a result have been in the dark [as to] whether a company is prepared to manage a cyberattack,” Lucia Milică, global resident CISO at security firm Proofpoint, told IT Brew. According to Milică, contributing factors have included that determining whether an incident is actually material is a “gray area,” as well as “an extremely fragmented regulatory landscape between industry-specific requirements” in the US.

Hetner said that the proposed SEC rule clearly lays out what factors businesses should consider when making that determination, including the costs of business interruption, delays in production or product launches, ransomware and extortion payments, remediation, lost revenue from IP theft, increased insurance premiums, and whatever incentives might be needed to convince customers and partners not to sever ties after a breach.

It’s essential that boards fully understand “inherent systemic risk in complex digital system[s] and how investment in cybersecurity translates directly into business value,” Milică said.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.