The Basic Elements of the SEC Requirements
Here are some of the key benefits of the new rules:
Increased transparency for investors:
The new rules will require companies to disclose more information about their cybersecurity risks and incidents, which will help investors to make more informed investment decisions.
Increased accountability for companies:
The new rules will put pressure on companies to take cybersecurity more seriously and to invest in effective cyber security measures.
Enhanced market stability:
The new rules will help to protect the financial markets from the negative effects of cybersecurity incidents.
The Commission and its staff have been addressing cybersecurity risk disclosures for many years. Guidance has been coming out from the staff and the Commission between 2011 and again in 2018. This effort is a further step in understanding the impacts of cyber risks to investors and falls short of the planned implementation and requirements of having a cyber professional or knowledgeable cyber professional on a public company’s board.
Additionally, the Commission has noted the financial impacts of cyber incidents, in the increased impact and frequency impacting company performances.
It’s important to note that the Commission is very open that companies should expect Compliance and Disclosure Interpretations (CDI) to be issued in the first year of this requirement. As even the Commission is looking to create clarity into the implementation of this requirement and how companies are disclosing and meeting this requirement in their 10K’s in section 1.05. In essence, the SEC is looking at best practices and will issue CDI’s if a filer is falling short or could have provided more clarity to incidents, accumulated impact of incidents or in their overall risk management, strategy and governance of cybersecurity.
What do you need to consider in your Cybersecurity Program and Filing?
The SEC was very specific and what needs to be included and considered in the disclosure requirements in section 106. The intent is for an investor to understand how a public filer is address the risk and exposure of a cyber incident to the company and the governance that supports that risk plan.
What needs to be included in consideration of Materiality of an Incident under the SEC rules?
The SEC guidance has provided requirements for the each filer to create and define a Materiality Framework to support the consideration of a cyber incident and the potential impact each incident or accumulation of incidents has on the financial and operational performance of the company. This framework should consider the following and incorporate qualitative and quantitative measures.
Summary
The SEC fell just short of earlier proposed guidance on Board of Directors requirements for a cyber professional on the Board, but instead addresses this indirectly, by requiring a Board to demonstrate and meet the definition of competency. This requirement is a long standing requirement within the SEC that each Board has a fiduciary responsibility to the investors as their representative for oversight of a company, its management, governance, risk and direction of the business as a whole. To do so, the Board should be able to demonstrate it has the competency to ensure proper oversight and direction to management.
As such, a new level of competency has arisen, that many Boards will struggle to address in 2023 filings. How the SEC reviews, comments or issues Compliance Disclosure Interpretations (CDI’s) will be interesting to watch.
Cybersecurity Trends 