New cyber-risk management rules for third-party service providers and beefed-up public company disclosures could have far-reaching effects on financial services firms and others that must comply with SEC regulations, requiring senior management to ensure that their companies upgrade their cybersecurity detection and response times significantly. The proposals, issued by SEC Chair Gary Gensler earlier this year, effectively replace the 2018 guidance on how to handle and disclose cyber-risk.
The proposed rules call for data breaches to be disclosed within four days, as well as for companies to disclose information such as senior management's and the board's roles in and oversight of cybersecurity risks, whether companies have cybersecurity policies and procedures, and how cybersecurity risks and incidents are likely to impact the company's financials, according to Gensler.
"When companies have an obligation to disclose material information to investors, they must be complete and accurate. Their disclosures also should be timely," Gensler said.
Jeff Williams, co-founder and chief technology officer at application security platform provider Contrast Security, is in favor of the new rules.
"The proposed cybersecurity rules are a big and welcome step forward for cybersecurity transparency," he says, adding that they could go even further. "The primary focus is on breach disclosure and not vulnerability disclosure, which I believe is missing the mark on what will truly deliver better cybersecurity to consumers and investors."
Steven Yadegari, CEO of FiSolve, a consulting firm that specializes in legal, compliance, and operations for financial services firms and asset managers, also points out that the proposed rules "contain more prescriptive requirements compared to existing SEC cybersecurity guidance and rules related to safeguarding information and would require most registered advisers to implement specific, considerable enhancements to their cybersecurity programs."
Four Days to File
A fact sheet from the SEC notes that organizations must disclose information about "a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident." However, the rule states, if a company determines that the impact of a breach is significantly different from originally disclosed in its 8-K filing, an amended 8-K might be required. Text of the proposed rule can be found here.
The 96-hour disclosure window is one day longer than that provided by the European Union's General Data Protection Regulation (GDPR), the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) signed by U.S. President Joe Biden in March, and the New York Department of Financial Services Cybersecurity Regulation, all of which have 72-hour breach notification periods.
Jason Hicks, field CISO at the cybersecurity consulting firm Coalfire, says one of the more controversial aspects of the new regulation — the 96-hour time requirement for a company to disclose the breach — might not be as draconian as many initially believed.
"The compressed four-day time line jumped out at me, but if you read the fine print, the agency is allowing an indeterminate amount of time to investigate the incident and determine if it is, indeed, material," Hicks says. "However, you are still likely to find yourself making public disclosure before you've completed your entire incident response process."
The law firm Woodruff Sawyer analyzed the proposed regulation and cited one word that could take the bite out of the apparent extreme nature.
"Note that the word 'jeopardizes' could be taken to mean that some harm might take place, as opposed to actually taking place," the firm wrote in its published response. "The contingent nature of such disclosure is unlikely to be useful to investors, a point expressed well by the Davis Polk comment letter on the proposed rules."
Boards Take Responsibility
The Davis Polk letter, written to the SEC as part of the public request for comments, also questions whether board members need to have cybersecurity expertise. Instead, the firm expects boards to continue to exercise oversight. The question of a board of directors' responsibility for cybersecurity efforts and their personal liability for data breaches has been the subject of other compliance regulations and laws in recent years; this is simply the latest that would put cybersecurity responsibility at the board level.
Marcus Astin, chief operating officer and the governance, risk, and compliance officer at clothier Pala Leather, says he welcomes the new cybersecurity rules.
"They position me and my team to take a more proactive role in cybersecurity risk management," Astin says. "We will be able to identify risks, plan for their execution, and measure the effectiveness of our programs. The new standards are a great opportunity for us to elevate ourselves from reactive risk detection to a more integrated approach."
Adds Yadegari: "We have already seen many firms of all sizes look for help from outside experts. This is a sign of how seriously the industry takes these issues. Whether the proposed rules are adopted or not, I think we will see boards interested in receiving professional advice from experts knowledgeable about cybersecurity, third-party risk management, and GRC. As attacks and technology become increasingly sophisticated, this need only becomes more important to board members and management."