Industry Leaders Say the US Securities and Exchange Commission’s Proposed Rules Would Set New Cybersecurity Requirements
The National Association of Corporate Directors, SecurityScorecard, and Cyber Threat Alliance Conclude Proposed Rules Would Strengthen the Ability of Public Companies, Funds and Advisors to Combat Cybersecurity Threats and Implement Risk Mitigation Processes
NEW YORK (April 14, 2022) — The National Association of Corporate Directors (NACD), SecurityScorecard, and the Cyber Threat Alliance today released a report, “An Update on the State of the SEC’s Approach to Cyber Risk,” that examines the U.S. Securities and Exchange Commission’s recently Proposed Rules and Amendments on cybersecurity reporting requirements for public companies. The report concludes that the Proposed Rules, if enacted as currently drafted, would strengthen the ability of public companies, Funds and Advisors to combat cybersecurity threats and implement risk mitigation processes.
“Preparing effective disclosure of material cyber risks and incidents has long been a key principle of cyber risk oversight advocated by NACD,” said Friso van der Oord, senior vice president of content at NACD. “The SEC’s actions in the past year, paired with recently released rules, draw a line under the critical role of management and boards in protecting not just investors and customers, but also the sound functioning of American business.
The report highlights the SEC’s increased commitment to cybersecurity, holding more companies accountable, not just for egregious cyber-related violations, but also for misleading public statements about cybersecurity risks and events. The report cites several recent cases in which the SEC took action as organizations failed to file suspicious activity reports (SARS) and disclosures, or provided misleading statements related to a cyberattack. These cases underscore the importance of classifying, escalating and reporting actual or suspected incidents to senior company leaders who are responsible for public-facing statements and regulatory reporting obligations.
On Feb. 9, the SEC proposed new reporting and recordkeeping requirements for Advisors and Funds. Among the Proposed Rules include reporting significant cybersecurity incidents to the SEC within 48 hours, implementing written cybersecurity policies and procedures to minimize operational risks, and recordkeeping to include copies of documented annual reviews of cybersecurity policies and procedures in effect over the prior five years. Companies would also need approval from the board of directors on cybersecurity policies and procedures.
Market-makers and broker-dealers are excluded from these Proposed Rules but the SEC is considering broadening reporting obligations in the near future.
On March 9, the SEC issued its Proposed Rules for Public Companies that include disclosure of any material cybersecurity incidents within four days of discovery, reporting of prior immaterial cybersecurity incidents that become material, and disclosure of policies and procedures to identify and manage cybersecurity risks. The Proposed Rules also call for Board oversight of a company’s cybersecurity risk and implementation of related policies.
While the Proposed Rules do not mandate the deployment of continuous monitoring solutions, the SEC’s discussion of required elements for both sets of Proposed Rules support such solutions.
“Currently most organizations lack continuous visibility into vulnerabilities across their vendor ecosystem,” said Sachin Bansal, Chief Business and Legal Officer at SecurityScorecard. “Organizations need an automated, integrated and collaborative approach to gaining this visibility - it’s crucial to business continuity and to adhering to the new policies and procedures set forth by the SEC.”
Additionally, third-party risks remain a key area of focus for the SEC, particularly for third parties that have access to confidential information or that are critical to operations. The SEC is considering new measures that would require companies to identify service providers that could pose cybersecurity risks and hold organizations accountable for a service provider’s lack of cybersecurity measures. As a result, companies may be liable for data security incidents involving vendors and other third parties, which may impact disclosure obligations.
As evidenced by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, these issues are a federal priority. The SEC’s increasing cybersecurity scrutiny is supported by other federal interagency collaboration efforts as well, including the Cybersecurity and Infrastructure Security Agency (CISA), Financial Stability Oversight Council (FSOC) and public-private partnerships.
“Every organization faces cyber-related risk,” said Michael Daniel, president and CEO, Cyber Threat Alliance. “It’s important that publicly traded companies appropriately disclose that risk so that investors can make informed decisions; in turn, better informed decisions create the market incentive for increased security across the ecosystem. The Securities and Exchange Commission has clearly prioritized increasing the accuracy and volume of disclosures, and public companies (and those that want to become public) should pay attention. This paper lays out the SEC’s major moves over the last year, identifying the key changes and updates. If you want the executive summary version, this paper provides it.”
To access the full report, visit the “State of Cyber Risk Disclosures.”
This report follows the March 2021, “State of Cyber-Risk Disclosures of Public Companies.”
About The Cyber Threat Alliance
The Cyber Threat Alliance (CTA) is a 501(c)(6) non-profit organization that is working to improve the cybersecurity of our global digital ecosystem. CTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries. CTA’s mission is to facilitate the sharing of actionable intelligence and situational awareness about sophisticated cyber threats to improve its members’ cyber defenses, more effectively disrupt malicious cyber actors around the world and raise the level of cybersecurity throughout the Internet and cyberspace. The alliance is continuing to grow on a global basis, enriching both the quantity and quality of the information that is being shared across the platform. CTA is actively recruiting additional regional players to enhance information sharing to enable a more secure future for all. For more information about CTA, please visit: https://www.cyberthreatalliance.org.
National Association of Corporate Directors
The National Association of Corporate Directors (NACD) empowers more than 23,000 directors to lead with confidence in the boardroom. As the recognized authority on leading boardroom practices, NACD helps boards strengthen investor trust and public confidence by ensuring that today’s directors are well prepared for tomorrow’s challenges. World-class boards join NACD to elevate performance, gain foresight and instill confidence. Fostering collaboration among directors, investors, and corporate governance stakeholders, NACD has been setting the standard for responsible board leadership for 40 years. To learn more about NACD, visit www.NACDonline.org.
Funded by world-class investors including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard's patented rating technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.