Summary of the new rule

The Securities and Exchange Commission (SEC) is set to issue final guidance in April 2023 on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. This new guidance goes well beyond earlier rules on footnote disclosure requirements for public companies if they suffered a significant financial impact from a breach and elevates requirements and guidance to public filers on board responsibility, oversight, governance and expertise.

What is different in the regulator’s view and what do these new regulations mean? The previous guidance was voluntary, with the new regulations being mandatory, creating a new level of transparency and fiduciary responsibility to management and the board of directors.  The SEC has seen too much inconsistency and a significant increase in impacted companies by cyber threats and incidents, and this correlates to impacted financial performance and investor losses.

Cybersecurity expertise on the board has been lacking and is often assumed by professionals with a lack of experience and understanding of cyber threats, the evolution of threats and targeting by nefarious actors and nation state actors.  Often, former or current Chief Information Officers (CIO)’s have filled this role, but lack the professional experience to address and give the proper oversight necessary to management to govern and advise on cybersecurity.  As a result, the SEC has raised the bar significantly and elevated the responsibility for boards to include expertise in order to provide management of public companies the proper oversight of corporate activities and performance in the area of cybersecurity.

What is Required

“Material” cybersecurity incidents, most likely defined in Public Accountant terms, would have to be reported on a Form 8-K within four business days of it being determined to be material.  Additionally, management will need to provide updated disclosures on cybersecurity incidents on 10-K’s and 10-Q’s, along with any undisclosed individual immaterial incidents that have become material in the aggregate.

Companies will be required to describe the policies and procedures, if any, for the identification and management of risks from cybersecurity threats and incidents.  A company must also determine and disclose whether cybersecurity is part of the business strategy and what elements of financial planning and capital allocations are being made by the company.

Additionally, there are expanded disclosure requirements on the board’s oversight of cybersecurity risks, along with management’s role and expertise in assessing and managing cybersecurity risks. This will impact the quality and capability of cyber professionals in the Chief Information Security Officer’s (CISO) role.

Lastly, but most important, a member of the board of directors who has expertise in cybersecurity will need to be appointed to the board of directors. A full disclosure will need to be made of the name of each director and any details necessary to fully describe the nature of their expertise.

The Challenge

The Challenge in meeting this new requirement is daunting in many ways.  Cyber professionals for years have lacked significant experience and exposure as part of senior management of a company.  They often lack financial experience and overall management skill sets as well as overall leadership experience to support a board level position.  To often, the CISOs today are:

• technical practitioners;
• lack true CxO suite responsibility;
• have insufficient financial management experience;
• can contribute in broader company strategy and business direction discussions; and
• are inexperienced in the context for SEC filing and financial audit reporting requirements. 

This will impact the ability for boards to find the qualified professionals that can address the above spectrum of responsibilities necessary for a board member. 

Summary

Public company boards need to start today to recruit the proper talent and capability to support their fiduciary responsibility to the investor community.  The vetting process will take time and key elements that should be considered are:

• Years of experience in Cybersecurity
• Financial management experience
• Public Accounting and Auditing Requirements
• Experience in incident management and reporting to regulators

Additionally, roles on the board should be considered for this new director in subcommittees that include, audit, technology and compliance committees.  This board director will need to be involved directly in any breach or cyber incident and this will impact the reporting and filing requirements with not just to the SEC but also, external auditors and industry regulators as well as any potential State authorities and regulatory bodies and civil litigation matters. Competency of the board will most likely come directly into question after the implementation period passes in these areas if not properly addressed now.  The SEC has made this a significant call to action for public companies today.