Skip to main content
BLOG

What the SEC Cybersecurity Proposal Means for You

Disclosure Management
ESG
SEC Reporting
Security
News from the Workiva blog
4 min read
AUTHOR:

Steve Soter

Senior Director, Accounting Industry Principal
Published: March 11, 2022
Last Updated: March 21, 2022

With cybersecurity incidents seeming to spread faster than inflation, and with the federal government issuing Shields Up guidance to fend off Russian cyberattacks, the SEC is flexing some disclosure muscle to add transparency to cybersecurity breaches.

Investors stand to gain more information about how companies manage security breaches under the Securities and Exchange Commission’s proposal on recent cybersecurity disclosures.

No doubt, incidents can be costly to them and to you if a hacker is able to disrupt day-to-day operations, collect a hefty ransom, or steal valuable intellectual property or even customers’ data—not to mention harm your corporate reputation as you’re scrambling to contain the damage.

Let’s take a look at what the SEC has proposed, plus steps to minimize risk when working with contractors and vendors.

What’s in the SEC cybersecurity proposal

You can read the full proposed rule online, but generally it would require:

  • An 8-K filing within days of material cybersecurity incidents, plus updates on those incidents

  • Periodic disclosures regarding policies and procedures to identify and manage cybersecurity risks and management’s role in implementing them

  • Information on the cybersecurity expertise of members of the board of directors

  • Disclosures in Inline XBRLTM (iXBRLTM)

Specifically, the SEC wants the 8-K to include a brief description of a cybersecurity incident and when it was discovered and if it’s ongoing; effects on data and a company’s operations; and what the company is doing about it. For foreign private issuers, cybersecurity incidents would be added as topics that should be reported on a 6-K.

We could debate whether those disclosures could give criminals ammunition for future attacks or hinder law enforcement from recovering stolen funds before criminals realize authorities are on to them. But the bottom line is that cybersecurity incidents could happen to any company, and investors want to see how resilient you are if one should happen to you. 

“Cybersecurity incidents, unfortunately, happen a lot,” SEC Chair Gary Gensler said in announcing the SEC proposal. “They can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.

“A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” he said.

Be ready for the cybersecurity mandate

The SEC is accepting comments on its proposal, so it’s not final yet. It’s possible companies will have to disclose significant hacks involving not only technology they own, but also systems they use, including those of third-party vendors. 

To prepare for a final mandate, I think organizations would want to:

  • Consider deploying multiple layers of security protections including multi-factor authorization methodologies

  • Reassess their security breach detection measures so that they would be aware of a breach promptly

  • Integrate cybersecurity into the "G" factor of ESG

  • Vet their vendors' cybersecurity controls and customer service, so organizations could ensure that they would be kept informed if their vendors should have a security incident 

Reducing risk while working with SEC filing vendors

In the meantime, stay vigilant toward security threats within your company as well as your contractors, partners, or vendors. 

For example, when considering software, look for a native cloud service provider that builds its own software and platform rather than a traditional service provider with digital services bolted on, as Workiva Chief Information Security Officer Eric Anders suggests

Check that your vendor meets or exceeds standards for cloud service providers and employs multiple layers of protection.

Also examine whether your vendor’s software or platform itself has built-in controls, so that if hackers break in via compromised login credentials, the information they can access will be limited.

While no one is immune from a security breach, make sure your vendors are doing all they can to protect you.

 

Inline XBRLTM and iXBRLTM are trademarks of XBRL International, Inc. All rights reserved. The XBRL® standards are open and freely licensed by way of the XBRL International License Agreement.

 

About the Author
Steve Soter

Senior Director, Accounting Industry Principal

Steve is Senior Director, Accounting Industry Principal at Workiva. Previously, Steve served as an accounting leader in multiple roles including Vice President and Controller for Backcountry.com, a private equity owned, online retailer of outdoor products, and as the Director of SEC Reporting for Overstock.com (NASDAQ: OSTK), a $2 billion revenue, online retailer of home goods and blockchain technology company. His experience includes multiple acquisitions, debt offerings, an IPO, and the world’s first digital debt and equity offering (by Overstock). Steve is the Executive Advisor of the SEC Professionals Group, and a former member of the US XBRL Data Quality Committee. He began his career as an auditor in public accounting, received his Accounting degree from the University of Arizona, graduating summa cum laude, and received a Master of Accountancy and Information Systems degree from Arizona State University.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at info@workiva.com

Our forms are currently down.

Please contact us at info@workiva.com