SEC tightens cybersecurity rules in 2023
2023 saw Federal authorities ratcheting down on Cybersecurity. In July, the U.S. Security and Exchange Commission [SEC] issued the latest final rules that enhance the SEC’s cybersecurity disclosure requirements.
The new SEC Rules: Holding corporate boards accountable
While this has been a topic of concern since cybercrime began to kick up in 2011, the new rule refines provisions in Regulations S-K and S-X. It emphasizes maintaining comprehensive cyber policies and procedures and provides detailed requirements for disclosing cyber risks and incidents. Perhaps most importantly it holds corporate boards — not management or tactical teams — accountable for this expectation.
Key requirements of the new SEC cybersecurity rules
According to the new rule, public companies must describe their cyber risk management program — how the company assesses, identifies, and addresses cyber threats, and how the board actively monitors those activities. These must be disclosed in their Annual Report (Form 10-K) going forward.
Notably, cyber incidents must be disclosed within 4 days with possible exception only if the incident poses a substantial threat to public safety or National Security. The report must describe the “nature, scope, and timing; and [the] impact or reasonably likely impact on the registrant, including its financial condition and results of operations” as well as its material affect (real or projected) of its impact on business strategy. Once again, the rule is specific about the the board’s responsibility for active oversight of cyber risk — including specifying which board committee or subcommittee is tasked with that expectation.
In her excellent writeup, Understanding the New SEC Cybersecurity Rules: A Guide for Executives, Sophos News’s Julia Davila suggested “The board should have processes to be informed about cybersecurity risks and incidents.”
The role of threat modeling in SEC compliance
As a lifelong evangelist for practical Threat Modeling, interest in this technique has ebbed and flowed over the decades depending on industry and business risk appetite — but its value has never diminished. It remains one of the best tools for informing corporate risk posture, and an Annual SEC Report that does not include it as part of its cyber risk mitigation description places the board at a significant disadvantage and is likely to raise eyebrows.
There are many excellent tools that can detect known cyber threats. But only a focused, diligent, and persistent discovery specific to the organization and its real-time business activities and cyber protection state can detect anticipated threats. Threat Modeling can not only satisfy SEC expectations; it can help the board guide the company toward optimal security investment.
Understanding the 4-Day Disclosure rule and its implications
The 4-day disclosure rule should make most public companies sit up and take notice. A cyber incident discovered on a Friday, must be disclosed on the following Monday–even if it’s unclear whether the anomaly was malicious or accidental, what the root cause or impact is, or how to begin to contain or correct it.
That places a huge burden on corporate boards to ensure actionable cyber incident response plans are in place, including the specific procedure that will be used to determine the confidence threshold for the anomaly. Without that, costly mistakes will be made. The days of loosey-goosey tabletops are over. The new rule requires that cyber incident response must be deliberate and prescriptive to avoid regulatory impacts.
The critical need for informed cybersecurity leadership on corporate boards
Bottom line, board members won’t be able to skate on the topic of cybersecurity. If there is not already a strong, informed presence with real-world experience and perspective represented on the board, it’s time to get one.
Bar Lockwood Principal Consultant – Security for Kalles Group, Seattle, WA. She has 25 years of experience in Cybersecurity and helped pioneer the integration of security into software development.