SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

Learn more about the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend” states SEC Chair Garry Censler.

Indeed, the SEC’s proposed amendments and rules would take it a step further by enhancing standardized disclosure procedures related to cybersecurity risk management, strategy, governance, and incident reporting by public companies that are subject to the Securities Exchange Act of 1934.

The main component of the amendment, proposed in March of 2022, would be a requirement that mandates all public companies to disclose cybersecurity incidents within four business days once it has been determined material to the disclosing company.

This requirement contains specific additional and related conditions that are further outlined in the proposal. Hence, the new additions are meant to supplement forms 10-K and 10-Q in terms of providing investors with more timely information regarding registrants’ cybersecurity disposition.

What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies Mean?

In the words of SEC Chair Gary Gensler, the “SEC disclosure regime has evolved alongside the evolving risks and investor needs”. More specifically, however, the core of the proposal is around item 1.05 dedicated to Form 8-K filing which would mandate companies to not only disclose a material cybersecurity incident within 4 business days but also provide additional details about the incidents; details such as whether the incident is ongoing, date of occurrence, whether the incident has caused data loss (including but not limited to unauthorized access, theft, and alteration of data), and whether an entity was able to remediate the incident.

Furthermore, the 106(d) Regulation S-K of the amendment to forms 10-Q and 10-K would now require companies to disclose information regarding any previous cybersecurity incidents and whether they have been determined to be material.

Another notable amendment among many would be Item 407 of regulation S-K that would mandate companies to disclose their board of director members’ cybersecurity experience, should they have any.

Additionally, the proposal would also require periodic reporting on registrants’ policies and procedures to identify and manage cybersecurity risks along with management’s role in implementing such policies and procedures. Lastly, the SEC would require all cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.  

What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Mean for Public Companies?

Cybersecurity controls have historically been out of scope from Sarbanes Oxley (SOX) testing for public companies, however, this proposed amendment may see those controls become incorporated into that testing process going forward. Internal Audit and External Auditors traditionally perform a yearly cyber interview based only on inquiry testing for several years to obtain a list of cyber initiatives and controls and then seek to determine if the organization has “experienced a breach within the past 12 months?”.  

Within SOX, this inquiry testing process will likely no longer be good enough and it is expected that companies will need to provide evidence through observations as well as detailed evidence. SOX and the auditors also require data sets (populations) to ensure completeness and accuracy.

Will companies be prepared to provide logs of cyber incidents and the way they are aggregated for materiality? This is a key point that organizations need to start thinking about.

The early indications are that organizations will need to implement key cyber controls within their SOX control framework. Companies should take the time to review the proposal, and familiarize themselves with the requirements so that discussions with auditors (both Internal and External) can be held to better understand what the expectations are likely to be. The potential impact of these rulings is likely to be far reaching and we anticipate forthcoming information relating to the final rulings, scope, and key dates in June of 2023. 

If you have any questions about the proposed rules or SOX testing for public companies, feel free to reach out to our team at [email protected].

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind. 

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe. 

 To learn more, visit our dedicated Cybersecurity page.