New rules require a detailed assessment of supply chain and organizational resilience
Yesterday the US Securities and Exchange Commission (SEC) voted 3-2 to issue long-awaited regulations that mandate uniform cyber incident disclosures for public companies.
The SEC’s rulemaking progress has been lengthy and controversial, and cybersecurity experts and business advocates have been eagerly awaiting the release of the final rules after more than a year of public comment and lobbying from business and cyber experts. The SEC made notable changes to the rules in response to public comments. Still, it retained the four-day reporting requirement for public companies once an organization determines that a material cybersecurity incident has occurred.
Determining materiality will require organizations subject to the rule to have full visibility into their own cyber risk posture and that of their suppliers and partners. While the headline is a requirement to report within four days in a new standardized 8-K disclosure, the substance of the rule will require a much greater focus from the C-suite in driving insights and spending to ensure compliance and real-time visibility into diverse threats facing public companies.
The final rules will become effective 30 days following their publication in the Federal Register.
There are three major takeaways we want to highlight from the rules and what we expect in the coming months:
The SEC did listen to public comments and concerns
Earlier versions of the rule would have required regular disclosure of specific Board roles, qualifications, and oversight of cybersecurity matters. The final rule dropped this requirement and imposed greater responsibility on management teams and C-Suite executives to oversee risk management and strategy regarding cyber threats in particular.
The Commission also made notable changes in providing delays to the reporting requirement for cases involving national security and/or public safety and in the scope of information required to be disclosed that cyber experts cautioned could become a roadmap for further exploits by cyber adversaries.
No rule or statute is ever perfect, and we expect these rules will continue to evolve over time as lessons are learned from implementation. The SEC received 150 comments on their proposed rules, and we anticipate business advocacy, shareholder rights groups, and technical experts will continue to help the agency improve the scope of the rules.
Transparency into cyber risk at all levels is vital
As the SEC notes, public companies share varying amounts of detail and data when disclosing cyber events to investors today. In an effort to enhance transparency and build trust with investors, the new SEC requirements will require companies to handle disclosures consistently and transparently using a modified form 8-K. Public companies will also be required to address ongoing cyber risk management in Annual Reports.
For example, the final rule notes that historically, most disclosures “do not describe their cybersecurity risk oversight or any related policies and procedures, even though companies typically address significant risks by developing risk management systems that often include written policies and procedures.”
Once the new requirements take effect, public companies will be required to disclose:
- A description of their cybersecurity risk assessment program.
- Any assessors, consultants, auditors, or third parties that contribute to their cybersecurity risk assessment.
- Policies and procedures to “oversee, identify, and mitigate” third-party cyber risk.
- Activities to prevent, detect, and minimize cybersecurity incidents.
- Business continuity, contingency, and recovery plans for cyber incidents.
- Previous cybersecurity incidents that have informed changes in governance policies, procedures, and technologies.
- How cyber risks have or are “reasonably likely” to affect “operations or financial condition.”
- If cybersecurity risks are considered part of the “business strategy, financial planning, and capital allocation, and if so, how.”
Third-party cyber risk is a material business risk
The SEC’s final rule mentions the term “third-party” 39 times total, and third-party risk was heavily debated. The final rule specifically calls out third-party cyber risk and notes:
Cybersecurity incidents occurring on third-party systems are NOT exempt
The Commission explains that recent cybersecurity trends, including the increasing reliance on third-party service providers, underpinned the need for these new requirements. In fact, recent research by SecurityScorecard and The Cyentia Institute, an independent cybersecurity research firm, is cited directly in the SEC’s final rule:
“A recent study by two cybersecurity firms found that 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years.”
A typical company deals with thousands of vendors and must look at risk in the context of this complex ecosystem. The attack surface risk is exponentially high.
Cybersecurity is a fiduciary responsibility
Cyber risk is an existential threat to businesses. Companies face significant monetary and reputational consequences if they do not seriously prioritize cybersecurity. If a company is breached, it affects stock price, market capitalization, and customer trust.
The four-day disclosure requirement outlined is consistent with other SEC materiality disclosures required on Form 8-K. While debates over the scope of disclosures required will continue, the SEC’s rules signal a new demand for greater oversight and communication of cyber risk, just as any other material business risk.
The requirement means security teams will need to adopt new tools and new language to ensure their management teams have complete visibility into cyber threats and potential implications. What’s clear is that technical teams will need new ways to communicate with leadership to ensure they understand cyber risk as any other material business risk.
Compliance will be a journey
Organizations should leverage the predictive power of security ratings as they begin charting their compliance.
As noted above, the rules will certainly change over time. Companies affected must start on their compliance journey today and leverage tools and processes to help them assess risk and communicate with the diverse stakeholders involved in ensuring the organization meets the standards set out in the new rules.
Cybersecurity ratings measure risk and predict the likelihood of incidents from the outside in and are an accepted independent metric of an organization’s risk posture. Organizations with poor security ratings are 13.8 times more likely to experience an incident. The analysis is grounded in empirical industry benchmark data.
Organizations can identify gaps and effectively prioritize mitigation strategies by regularly measuring cybersecurity posture. Cyber ratings are also used to inform stakeholders, including customers, partners, and regulators, instilling confidence in the organization’s ability to protect them and fostering a culture of transparency.
Strong cybersecurity is now a core promise of business and government. A globally trusted method for measuring and tracking cybersecurity risk will enable greater transparency and information sharing between the public and private sectors.
The SecurityScorecard team looks forward to engaging with organizations to streamline compliance with the new regulations and provide management teams with new tools to manage ongoing risk.
In the world of financial markets, investors rely on credit ratings to estimate risk. With that in mind, the Marsh McLennan Global Cyber Risk Analytics Center and SecurityScorecard came together to study how cybersecurity ratings can be used to understand cyber risk.