By Natasja Bolton, Managing Information Security Consultant
On February 21st, the U.S. Securities and Exchange Commission (SEC) approved the release of its revised guidance for public companies on disclosures of cybersecurity risks and incidents. The guidance reflects the fact that shareholders now expect that the companies they intend to or have already invested in have a good understanding of and manage risk to the business in all its forms, including cybersecurity risks.
The guidance discusses the need for comprehensive policies and procedures to make sure that cybersecurity risks and incidents are identified in a timely manner, evaluated and reported up to board level. Public companies’ disclosure obligations under the Securities Act of 1933 (‘Securities Act’) and the Securities Exchange Act of 1934 (‘Exchange Act’) must now include material information on cybersecurity. Companies must have disclosure policies and procedures to enable them to make accurate and timely disclosures of cybersecurity risks and incidents that would be material to their investors.
While disclosures do not need to include detailed technical information – as such information could be exploited by those seeking target the company – the information disclosed on a company’s cybersecurity risks and incidents does need to be based on a detailed evaluation of risk. Disclosures must not be generic or use “boilerplate language”; the risk evaluation needs to be specific to the company and thereby demonstrate that executives understand the nature of cybersecurity risks and potential incidents for their business.
The guidance highlights the issues to be considered when analysing the company’s cybersecurity risk. This includes: occurrence of previous cyber security incidents; the probability of cyber security incidents occurring and their potential severity; the adequacy of and costs associated with the control and protection measures in place; company- and industry-specific aspects that influence risk levels; and, the potential costs and impacts of cybersecurity incidents (such as reputational damage, litigation and remediation costs). This risk analysis is key to the accuracy and usefulness of disclosures to investors, as “the materiality of cybersecurity risks or incidents depends upon their nature, extent and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations”.
With their approval of this guidance the SEC is clearly signalling their belief that responsibility for cyber security risks and incidents resides at boardroom level. The guidance emphasises executive level accountability for their company’s protection of critical information assets and systems from cyber-attacks and other threats. It also sets the expectation that cyber security risk management must be an integral component of enterprise risk management, such that the board of director’s risk oversight function includes cybersecurity risk, as those risks can be material to the company’s business. To be able to oversee cybersecurity risk, directors and company executives must have visibility into and be properly informed by the company’s cyber security management program.
The SEC’s focus on executive level oversight and responsibility echoes the recent changes in the PCI DSS which, from 1st February 2018, now requires executive management at service provider companies to assign responsibility for PCI DSS compliance responsibilities, to define a charter for their PCI DSS compliance program and maintain executive-level visibility of that compliance program. The SEC guidance also supports, and is supported by, the FFIEC’s recommendations for CEOs and boards of directors contained in the FFIEC’s Cyber Security Assessment Tool. That assessment is intended to enable enhanced executive oversight and management of the company’s cybersecurity. Cyber Risk Management and Oversight is one of the tool’s five domains – helping companies to assess their maturity with regards to information security governance, risk management, roles and responsibilities – and hence aid the company in moving to a position where the board can fulfil the risk oversight role envisioned in the SEC’s guidance and will be properly informed to make disclosure decisions.
If you need help in establishing, defining or developing your cyber security management program talk to us. Sysnet’s team of information security experts can help your company define the structures, policies and procedures required so that your cyber security management program better supports the updated disclosure requirements. We can take you through the process of assessing and evaluating the adequacy of existing security controls. We can be your independent trusted advisor measuring, monitoring and reviewing your cyber security management program and the effectiveness of your cyber security risk management.