New SEC Rules Mandate Cybersecurity Disclosure

Image
Disclosure-blog-list-image

SEC Cybersecurity Disclosure Webinar

This webinar will examine the proposed Securities and Exchange Commission cybersecurity disclosure rule’s main components and outline what your organization can do right now.

 

 

March 22, 2022

 


 

What Is The Proposed SEC Cybersecurity Disclosure Rule and Why Is It Important?

It’s rare that we go a day without hearing about cybersecurity and resilience in one form or fashion. Maybe it’s a new form of ransomware that can exploit files, perhaps a geopolitical issue that may cause a surge in threat activity. Perhaps an unknowingly compromised third party providing services to well-known (or not-so-well-known) entities that captured personally identifiable information (PII). We can all think back over the last several weeks and probably recall several, if not more, whether or not we’re cybersecurity professionals.

 

With continual emphasis on the dynamic cybersecurity landscape, regulatory bodies have continued to provide frameworks, advice and guidelines for certain industries and activities being performed. Recent examples include the FDIC, OCC and Federal Reserve coming together for security incident reporting regulations for their covered entities in 2022. However, on March 9, the SEC issued a proposed rule that will apply to over 8,000 public and foreign SEC registrants focused on strengthening cybersecurity posture.

 

The proposed cybersecurity disclosure rule has three main components: incident disclosure, cybersecurity program disclosure and Board of Directors education disclosure.

 

Specifically, the proposal would:

 

  • Require current reporting about material cybersecurity incidents on Form 8-K;

  • Require periodic disclosures regarding, among other things:

    • A registrant’s policies and procedures to identify and manage cybersecurity risks;

    • Management’s role in implementing cybersecurity policies and procedures;

    • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and

    • Updates about previously reported material cybersecurity incidents; and

  • Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

 

Our Perspective

Cybersecurity activities continue to be top of mind across industries. We have seen recent cybersecurity-centered proposals for registered investment advisors and funds, but the proposed SEC rule removes the industry lens and captures the ongoing importance of corporate governance and security awareness. For instance, the specific elements highlight the need for cybersecurity experience and training directly within the Board of Directors.

 

The proposed rules center on leading practices organizations should strive to achieve, even if not required by regulation to do so. The ruleset emphasizes scalable programs designed to integrate cybersecurity as an enabler, and while the details of the final rule may vary slightly, the principles of risk management, governance, resilience and attention to third parties are best practice areas for cybersecurity programs and can’t be ignored.

 

The time to act is now. Starting a programmatic approach today will drive readiness success when the disclosure rules become law. As the proposed rules are wide-ranging in coverage and include multiple facets of a cybersecurity program, waiting to start an integrated approach will require organizations to play catch-up across myriad areas, including:

 

  • Cybersecurity risk assessment policies, procedures and outcomes

  • Third-party vendor management, including analysis of risk frameworks, which must be embedded within company policies and procedures to identify the cybersecurity risks associated with the use of third parties

  • Actions undertaken to prevent, detect and minimize effects of cybersecurity incidents

  • Business resilience activities, including incident response

  • Understanding the feedback loop to leverage prior information and incidents to enhance the overall cybersecurity program (people, process, technology and analytics)

  • Integration of cybersecurity risk management within the enterprise strategy

 

As the trusted cybersecurity partner for many leading organizations, our goal is to quickly highlight these elements to drive awareness and promote cybersecurity across the enterprise. With these proposed rules impacting both financial reporting and operational activities, there has never been a more important time to elevate the cybersecurity conversation within your organization.

 

Optiv stands ready to help. Please don’t hesitate to contact us at info@optiv.com.

Adam Wisnieski
Director, Strategy & Transformation | Optiv
Adam is responsible for development and delivery of cybersecurity programs and integrated risk management services to Optiv clients. His years of global risk management, technology and process consulting experience helps develop realistic, well-grounded cybersecurity programs that span operational, cybersecurity, regulatory, financial and strategic risk elements.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Image
compliance

 

Cybersecurity Compliance Services

 

Optiv's Cybersecurity compliance services including, PCI DSS, HITRUST, NIST CSF and ISO 27001, can help you navigate the complex, ever-changing security compliance arena. Learn more today!

Image
What Does the Cybersecurity Executive Order Mean for YouList-Section-Thumbail-Image_476x210

 

What Does the Cybersecurity Executive Order Mean for You?

 

The executive order on cybersecurity emphasizes coordinated, mandated levels of controls to respond to a growing threat to critical infrastructure.

Image
Optiv_Tech-Blog_List_476x210_8

 

Executive Order: White House takes on Utility Hackers…

 

Managing an OT security program that meets C-Suite budgets and White House expectations is difficult but possible.