For years, the U.S. Securities and Exchange Commission (SEC) strongly advised public companies to improve their cybersecurity. However, after minimal corporate adoption of stronger cybersecurity, the SEC has drafted rules to require more formal cybersecurity reporting and disclosure.
This requirement copies the strategies of previous legislation that dramatically improved financial reporting for both public and private companies. While the new security proposals have not yet become law, cybersecurity managers can begin to prepare metrics and audits that will not only help comply with those laws, but can also help create positive change now.
Technical managers that can clearly communicate internally to their own executives and board members may discover additional opportunities opening up after the SEC rules become finalized. While most security managers probably cannot serve on the board of directors for their own company, the best communicators will develop a reputation and find themselves recruited for better positions or to serve on the boards of other companies. New roles are coming — even at private companies, where the rules may have an effect too — and cybersecurity pros should prepare for them.
SOX: A Template of Success
Twenty years ago, several huge incidents of financial fraud led to bipartisan support for the Sarbanes-Oxley Act (SOX), which required much stronger rules regarding the financial oversight of public companies. Those changes enforced independent financial auditing of companies and required every board of directors to retain at least one financial expert to ensure the board of directors understands those independent audits.
These rules led to a rapid transformation of corporate boards and ensured clarity for the finances of public corporations. These laws also set expectations for a level of financial professionalism expected for the board members and executives of large corporations, and many private companies also chose to comply with the SOX guidelines.
For example, in the Enron financial fraud, executives and board members claimed ignorance or that they could not understand the financial maneuvering of Enron’s CFO (chief financial officer). After SOX, executives must sign a document every year that states, under penalty of criminal prosecution if they lie, that the executives understand their financial statement.
For the board, they must publicly disclose their financial auditing expertise and experience. In practice, this means that corporations put at least one financial expert on each public board, and that person will become the target of shareholder lawsuits if financial fraud occurs.
The rules themselves did not specify standards for financial competence. Instead, these rules demanded that the management of the company personally sign affidavits of responsibility for the information in the annual reports and that the company must publicly disclose the financial expertise for board members.
In effect, the law increased criminal and financial liability for managers and board members even as it avoided any definition of financial competence. To avoid punitive damages from lawsuits or criminal prosecution, most companies have dramatically improved their financial awareness and reporting.
Proposed SEC Security Changes
The SEC proposal outlines several key requirements designed to improve cybersecurity awareness and reporting for business executives and board members:
- Cybersecurity Incident Reporting
- Current reporting about material incidents (as already required by the Cyber Incident Reporting and Critical Infrastructure Act of 2022)
- Periodic reporting about previous incidents
- Cybersecurity Policies
- Periodic reporting about policies
- Procedures to identify and manage risks
- Management Requirements
- Management’s role and expertise in assessing and managing risk
- Management’s role and expertise in implementing policies and procedures
- Board Oversight
- Reporting of how the board of directors performs oversight on cybersecurity
- Disclosure of the board of director’s cybersecurity expertise, if any
None of the proposals implement any specific requirements for a level of expertise, metrics to hit, tools to implement, or standards for compliance. Instead, these rules use the same tactics as the SOX legislation — compliance and improvement through fear of consequences.
Also read: What is Cybersecurity Risk Management?
Compliance through consequences
Shareholder, supplier, vendor, and business partner lawsuits can quickly punish corporations, managers, and board members for any SOX infraction. Attorneys pounce on any lack of financial expertise and use it to drive up the financial penalties.
The precedence set in SOX lawsuits easily carries over to lawsuits against private companies as standards of baseline competence. Private companies of all sizes find their managers and board members held to the same competence requirements as public companies.
These SEC cybersecurity rules will not only expose public companies to SEC sanctions and enforcement, it will also create standards that attorneys can use as the basis for cybersecurity lawsuits. As with financial experience, managers and boards that suffer cybersecurity incidents will find any lack of cybersecurity experience exposed and punished financially in lawsuits.
Cybersecurity Preparation Tips
The SEC’s vague rules leave a lot of room for interpretation, but as with SOX, future lawsuits will begin to create standards competence convincing to an arbitrator, judge, or jury member as a reasonably competent approach. An absence of preparation, implementation, or expertise will probably be punished harshly.
Therefore, we should examine each category and consider what the rules fundamentally request. Our analysis will then need to consider what it will take to prepare to meet that request and how to communicate it clearly, without technical jargon, to our executives, to the board, and possibly to a judge and jury.
SEC cybersecurity incidents preparation
The SEC indicates it will require formal public reporting of current and previous material incidents. The law firm Vinson & Elkins defines a material matter as one in which “a reasonable shareholder would have relied on the information in order to make informed investment decisions, or it would ‘significantly alter…the ‘total mix’’ of information available to the shareholder.”
Vinson & Elkins also provide examples of material events such as:
- Violated security or procedures that create a liability
- Incidents significantly affecting company reputation or financial position
- Incidents affecting company operations significantly
These incidents will typically be measured in financial terms; however, Europe’s GDPR and the U.S. HIPAA regulation have their own requirements that could be considered material regarding the release of personal information.
To satisfy the SEC regulation, organizations need to have internal reporting mechanisms to measure the impact of the cybersecurity events, determine if the event is material, and produce reports on material events.
In the event of a breach, the last thing the tech team will want to do is figure out how to make a report. The IT security manager should work with the CFO and legal counsel to determine the:
- Methodology for event measurement
- Key qualification metrics to define the event as material
- Authorization chain to report events and determine events are material
- Report template for material events
- Internal and external report recipients for a material event
- Reporting period (monthly, quarterly, etc.) for past events and the template of information required for those follow-up reports
In an ideal world, a team should also have the time to perform drills or tabletop exercises to simulate an event and practice the reporting process. Practice can reveal overlooked information or expose unrealistic requirements.
SEC cybersecurity policies preparation
Many technical tools use the term “policy” to describe the settings within the tools. For example, for a server, the password policy defines the password complexity, length of time before the password needs to be reset, and how many incorrect logins will result in a disabled credential.
However, for compliance, the term policy actually refers to a written document that contains the goals, objectives, and minimum standards the company will enact. From a compliance standpoint, those server settings simply enforce the written policy that should already be reviewed and approved by management, compliance, and legal.
However, in turn, those policies are supposed to address the risks of the organization. The password policy provides one of many controls to prevent unauthorized access to company resources, and those controls address the risk of insider and third-party threats for sabotage, data breach, and theft.
Risk analysis and policies provide the foundational documents upon which all IT operations and security is supposed to be based. In fact, the U.S. National Institute of Standards and Testing (NIST) provides guidance on IT security maturity, and without written policies, an organization cannot even be considered to have reached the lowest level of IT security maturity.
In preparation for SEC requirements, IT security managers should verify the preparation and corporate approval of:
- Risk Report
- At least IT technical risks, but ideally includes general business risks as well.
- Specific risks
- Likelihood of each risk without controls in place
- Controls and policies that address specific risks
- LIkelihood of each risk with controls and policies in place
- Policies should cover categories of risk and will often be entitled for the type of controls such as:
- Policies should define minimum standards for controls to meet to mitigate risks.
- Controls should be implemented to meet or exceed policy requirements
- For companies without existing policies, policies can be written that describe current IT standards in place (assuming they are sufficient).
Once the documentation is in place, IT security managers need to test the controls to verify that they meet the standards and that the controls truly mitigate the risk. This can be satisfied through periodic vulnerability scans, penetration tests, and asset-recovery exercises.
Lastly, a review of these documents and testing needs to be conducted on a regular basis to demonstrate active consideration of potential new risks to the organization.
SEC Management Requirements & Board Oversight Preparation
The SEC requirements indicate that they expect management of the company to play a meaningful role in:
- Assessing and managing risk
- Developing of risk reports, policies, and controls
- Implementing policies, procedures, and controls
The SEC also expects the board of directors to perform due diligence into the status, development, and management of cybersecurity risks, controls, and reporting.
Of course, most companies don’t have this in place, or the SEC would not be creating a new requirement. The preparation for these requirements depends upon the current status of the company, and IT security managers should help the company transition through stages of cybersecurity maturity.
Establishing formal risk analysis and policies
Based on NIST’s IT security maturity guidance, the first step will be for the IT security manager to work with corporate management to establish formal risk analysis and policies. Many organizations still need to begin here because many executives and board members have limited technical ability.
Some of these organizations won’t even have a chief information officer (CIO) or chief information security officer (CISO) that participates in the executive suite and that would count as a participating manager. IT security managers and other concerned executives need to start with opening lines of communication that frame all technical issues in terms of the business and associated risks.
IT security managers must listen to executives or directors and help these non-technical stakeholders to define what they need to know to feel like cybersecurity measures are solid and in place. Then, IT security managers can create plain-English reports, tests, and simple metrics to satisfy those needs and demonstrate that the IT security team understands and are addressing business risks.
Risk analysis reports and policies should be drafted, approved by executives, and made easily available to executives and board members. Policies should clearly cover risks, controls, responsibilities, and penalties for policy violation.
This communication should be recorded and eventually turned into reports. Between records of communication and signed policies, the company can minimally satisfy the SEC requirements.
Fortunately, most of these policies will be inexpensive to develop and implement — other than the time required to be invested in their development. Most companies already have procedures designed, implemented, and tested and will simply document them as written policies.
Establishing policies and procedures and testing security
Once policies are in place, to proceed to subsequent levels the organization should:
- Develop procedures based on those policies (Level 2)
- Implement those procedures (Level 3)
- Test that the procedures have been implemented and address the risk (Level 4)
Many organizations will find it easy to race through levels two through four based upon procedures already implemented and tested for the organization. The testing and reporting of these levels may need to be made more formally than before and can be adjusted to ensure they remain understandable to less technical executives and board members.
However, beyond the NIST maturity levels, the organization needs to integrate cybersecurity expertise into the executive levels and within the board of directors. Ideally, a security manager should be within the C-suite and should be helping to integrate security concerns into business processes, so other managers can become more involved.
The company will need to recruit or train a board member to be a cybersecurity expert. Formal and informal education on cybersecurity topics should be provided for executives, board members, and even for the organization as a whole.
Most public companies already operate close to one of these levels, but will need to improve their formal reporting and documentation. They will also need to formally designate or establish cybersecurity experts among their managers and board members.
Reaching full integration of cybersecurity concerns
To effectively shield against legal liability, organizations should strive to reach full integration of cybersecurity concerns throughout the organization. NIST describes this level as one in which:
- Effective implementation of IT security controls is second nature
- A comprehensive IT security program is an integral part of the culture
- Costs and benefits of IT security are measured as precisely as practical
- Status metrics for the IT security program are established and met
The SEC probably also would like to see cybersecurity issues embedded into regular decision-making processes for business managers and for the board of directors to have at least one member with formal cybersecurity expertise.
Internal cybersecurity managers can help with this process by maintaining open and clear communication channels with other executives and by helping to recruit and verify the cybersecurity capabilities of candidates for the board of directors.
The Future of Cybersecurity Competence in Enterprises
Public companies will be the first with a legal requirement to implement SEC rules, but eventually, everyone will find themselves held to similar standards of cybersecurity competence. Fortunately, while many organizations might fail to have the formal policies necessary to reach Level 1 of NIST IT Security Maturity, many already have controls implemented and tested and can improve their maturity with minor effort.
Some executives and some organizations will continue to drag their feet and avoid cybersecurity issues, but the risks of damage from cyberattacks continue to grow daily. With these new SEC rules in place, soon the punitive damages from the SEC (for public companies) and from private lawsuits will become enormous. Faced with huge potential cybersecurity liabilities, companies will be forced to mature in their approach to cybersecurity or risk going out of business entirely.
Read next: Best Risk Management Software