Share:

Security Exchange Commission (SEC) Proposed Rulings on Cybersecurity – Key Take Aways

Introduction

The SEC is getting serious about cybersecurity with proposed rulings that increases expectations on cybersecurity compliance and reporting. In combination with the SEC’s recent issuance of a “Wells Notice” to the executives at Solar Winds for that company’s response to its 2021 cybersecurity breach, personal liability for executives is also raising the stakes. As historical precedent, the SEC issues Wells notices to firms when it is planning to bring enforcement action against them.

For context, the SEC drafted proposed rules for cybersecurity requirements in 2022. The finalization of the rules, originally targeted for April 2023 is now anticipated to be effective as of October 2023.

The proposal would require all Market Entities to

  • implement policies and procedures that are reasonably designed to address their cybersecurity risks and,
  • at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.
  • There are also disclosure requirements in the proposal as follows.

Proposed Disclosure Requirements in the proposed rules

  • New public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.
  • four-business-day notification deadline for reporting material cybersecurity incidents. The four-business-day notification deadline would start running on the date the company determines that a cyber incident was material, not the date the incident is discovered.
  • Mandatory disclosures regarding the board of directors’ oversight of cybersecurity risk and individual board members’ cybersecurity expertise; and
  • Mandatory disclosures regarding the role of management in addressing cybersecurity risk.
  • Under the proposed rule, public companies would be required to report “material cybersecurity incidents” via Form 8-K (i.e., a type of immediate disclosure companies are required to file for specific types of events the SEC determined are too time-sensitive to wait for quarterly or annual filings).
  • Key elements of the disclosure would include:
    • When the incident was discovered and whether it is ongoing.
    • A brief description of the nature and scope of the incident.
    • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
    • The effect of the incident on the company’s operations; and
    • Whether the company has remediated or is currently remediating the incident.

Regarding “Mandatory disclosures regarding the board of directors’ oversight of cybersecurity risk and individual board members’ cybersecurity expertise” I recently attended a panel discussion on this topic hosted by a well-known executive recruiter and technology company. Key points raised:

  • Will the board cybersecurity “expert” need to be an ex-CSO?
  • If they are, will they have greater liability that other board members should there be a breach?
  • How does the entire board take responsibility, without abdicating to the expert, the fiduciary responsibilities for cybersecurity compliance?

As the Chinese Proverb states “May you live in interesting times”. If you are in cybersecurity, these are interesting times indeed.

Thanks for reading.

— Nick

download a free copy of chapter 1.

  • This field is for validation purposes and should be left unchanged.

About Nick Shevelyov

Nick Shevelyov is a specialist in cybersecurity, information technology, data privacy, and risk management with experience in multiple industries—from an engineering to executive and board advisory level. See his LinkedIn profile for career history. A guest speaker at a variety of industry events, Nick has an undergraduate degree in economics, an executive MBA, and CISSP, CIPP, and CISM industry certifications.