What the SEC Cybersecurity Proposal Means for You
With cybersecurity incidents seeming to spread faster than inflation, and with the federal government issuing Shields Up guidance to fend off Russian cyberattacks, the SEC is flexing some disclosure muscle to add transparency to cybersecurity breaches.
Investors stand to gain more information about how companies manage security breaches under the Securities and Exchange Commission’s proposal on recent cybersecurity disclosures.
No doubt, incidents can be costly to them and to you if a hacker is able to disrupt day-to-day operations, collect a hefty ransom, or steal valuable intellectual property or even customers’ data—not to mention harm your corporate reputation as you’re scrambling to contain the damage.
Let’s take a look at what the SEC has proposed, plus steps to minimize risk when working with contractors and vendors.
What’s in the SEC cybersecurity proposal
You can read the full proposed rule online, but generally it would require:
An 8-K filing within days of material cybersecurity incidents, plus updates on those incidents
Periodic disclosures regarding policies and procedures to identify and manage cybersecurity risks and management’s role in implementing them
Information on the cybersecurity expertise of members of the board of directors
Disclosures in Inline XBRLTM (iXBRLTM)
Specifically, the SEC wants the 8-K to include a brief description of a cybersecurity incident and when it was discovered and if it’s ongoing; effects on data and a company’s operations; and what the company is doing about it. For foreign private issuers, cybersecurity incidents would be added as topics that should be reported on a 6-K.
We could debate whether those disclosures could give criminals ammunition for future attacks or hinder law enforcement from recovering stolen funds before criminals realize authorities are on to them. But the bottom line is that cybersecurity incidents could happen to any company, and investors want to see how resilient you are if one should happen to you.
“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in announcing the SEC proposal. “They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.
“A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” he said.
Be ready for the cybersecurity mandate
The SEC is accepting comments on its proposal, so it’s not final yet. It’s possible companies will have to disclose significant hacks involving not only technology they own, but also systems they use, including those of third-party vendors.
To prepare for a final mandate, I think organizations would want to:
Consider deploying multiple layers of security protections including multi-factor authorization methodologies
Reassess their security breach detection measures so that they would be aware of a breach promptly
Integrate cybersecurity into the "G" factor of ESG
Vet their vendors' cybersecurity controls and customer service, so organizations could ensure that they would be kept informed if their vendors should have a security incident
Reducing risk while working with SEC filing vendors
In the meantime, stay vigilant toward security threats within your company as well as your contractors, partners, or vendors.
For example, when considering software, look for a native cloud service provider that builds its own software and platform rather than a traditional service provider with digital services bolted on, as Workiva Chief Information Security Officer Eric Anders suggests.
Check that your vendor meets or exceeds standards for cloud service providers and employs multiple layers of protection.
Also examine whether your vendor’s software or platform itself has built-in controls, so that if hackers break in via compromised login credentials, the information they can access will be limited.
While no one is immune from a security breach, make sure your vendors are doing all they can to protect you.
Inline XBRLTM and iXBRLTM are trademarks of XBRL International, Inc. All rights reserved. The XBRL® standards are open and freely licensed by way of the XBRL International License Agreement.