The New SEC Rules: Not Your Mother's Cybersecurity

August 23, 2023

The SEC has established new rules for cybersecurity risk management, governance and reporting. Its purpose is to provide transparency of cyber risk for investors and shareholders.

It effectively establishes cyber risk management as a risk at the same level of every other corporate risk and creates a “seat at the table” for CISOs. Companies who take the new guidelines to heart will need to rethink their approach and culture around cyber risk and cybersecurity.

What this effectively means is that companies must demonstrate that they have an appropriate level of cyber risk management and governance in place and report on this quarterly in a filing with the SEC. In the event of a cyber incident, a process must be in place to determine its materiality and to file high level details of the incident.

Setting the record straight on the SEC rules

The new rules are broad and descriptive. They require the top cybersecurity risk management leader to collaborate with the business unit leaders and the entire C-suite to determine your risk profile using qualitative and quantitative measures that are an accurate reflection of risk (not cybersecurity maturity.) Companies will be required to report and attest to the SEC on an established risk management process quarterly. Registrants will be required to have the necessary risk monitoring in place of 100% of their digital footprint (including third-party suppliers), know when something is exceeding pre-established thresholds of risk and to have an action plan to mitigate the risk.

Registrants are not required to report on cyber incidents within four days of occurrence. Instead, they will need a method to assess the materiality of an incident or a collection of related but separate incidents, and to file a report with the SEC once that incident is determined to be material.

A key qualitative change needs to be recognized in the risk assessment process: It is not enough to understand a material impact in terms of the company’s financial accounts or its operational impact. It must be understood also in terms of the impact that it has on those to whom it has a duty of care: trading partners, customers and clients. Risk assessment methods must understand the impact that a breach of confidentiality, integrity, availability or authenticity will have on others.

This is the duty of care and is the new standard for reasonable security. The duty of care requires that a person act toward others and the public with the watchfulness, attention, caution and prudence that a reasonable person in the circumstances would use. If a person's actions do not meet this standard of care, then the acts are considered negligent, and any damages resulting may be claimed in a lawsuit for negligence.

I translate duty of care in cybersecurity terms this way:

As the executive overseeing the company’s efforts for cyber risk management, governance and reporting, were It to be deposed by hostile counsel regarding incident, the gold standard is to be able to demonstrate that the holistic control design (process and technical) is the necessary and sufficient set of controls for this enterprise and further that the controls are in place and operating effectively 100% of the time.

What this will require is 100% visibility and context of 100% of the environment 100% of the time so that one can attest with confidence that controls are in place and operational to meet the duty of care.

Here’s a 5-step strategy to get started:

1. Describe the necessary outcomes to define your duty of care, not only to shareholders and investors, but to the parties who do business with you. An example of an outcome is that the confidentiality and integrity of 99.999% of patient records is assured. Another example would be that the accuracy and integrity of all entries to the general ledger is within 0.01%. Every company will have its own set of outcomes and they should be the necessary and sufficient set to demonstrate duty of care to a skeptic.

Be specific and complete about outcomes. This is a critical foundational step and one that will help with the determination of materiality for cybersecurity incidents.

2. Ask what it would take for the necessary outcomes to be true. This can be done in terms of functional descriptions of both technical and process controls. For example, to ensure the confidentiality and integrity of 99.999% of patient records, it would be necessary to have a complete data inventory and data governance and management practices. The identity and access management would need to meet zero trust standards. There should be no aging accounts and account de-provisioning must take place within hours, if not minutes, of notification of an HR change event. Privileged account management would be under strict controls and vulnerability management would ensure that all critical vulnerabilities were addressed prior to known exploits being released in the wild.

3. Establish governance and accountability. The governance of cyber risk management is now a participative and active responsibility of the executive team, and the CISO is one of the team members but not the owner. Strong governance with enforcement and regular monitoring is essential to change the culture around cyber risk management. Every business unit will have remediation work to complete and track. Ensure that the accountability for implementation of controls rests with the appropriate business unit and is not perceived to be the responsibility of any single group like IT or security. A company that doesn’t embrace strong governance and regularly debrief and inspect progress on accountability will fail with the new SEC rules.

4. Do the gap analysis between where the “AS IS” state and the “TO BE” state. A word of caution — this must stand up to skeptical scrutiny. Ask the question again and again: “Is this really how it is or is this how you think it should be?” Be ruthlessly truthful. This is not the time to try to put lipstick on a pig.

5. Qualify the gaps and quantify them in terms of materiality. This will give those accountable for oversight clarity on the size of the existing risk and a clear set of action items for monitoring risk reduction. It will give the basis for demonstrating due diligence to a defensible standard of care, and necessary expenditures for risk reduction will have compelling rationale tied to the SEC reporting requirements.