Federal Cybersecurity Changes Continue
SEC Narrows in on Public Companies’ Disclosures and More
One month after voting on a proposal for new cybersecurity risk management rules for investment advisers and companies, the Securities and Exchange Commission (“the SEC” or “the Commission”) set its sights on publicly traded companies (“registrants”, subject to reporting requirements of the Securities Exchange Act of 1934).
On March 9, 2022, the SEC voted 3-1 in favor of proposed amendments that enhance and standardize registrants’ disclosures concerning cyber risk management, strategy, governance, and incident reporting.
SEC Chair Gary Gensler notes that cybersecurity incidents “can have significant financial, operational, legal, and reputational impacts on public issuers. Thus, investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.”
The intended result of the proposed amendments is to better inform investors about a registrant’s cybersecurity risk through improved transparency; with information on risk management, governance, and past incidents readily and publicly available, an investor can make well-informed and sound investment decisions.
"Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. The interconnectedness of our networks, the use of predictive analytics, and the insatiable desire for data are only accelerating putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks." - Gary Gensler, SEC Chair
Before the March 9 proposal, the Division of Corporation Finance issued interpretative guidance pertaining to registrants’ existing cybersecurity risk and incident disclosure obligations twice: once in 2011, and once in 2018. Though they addressed the importance of cybersecurity policies and processes, as well as how they relate to the insider trading prohibitions, cyber disclosure practices have remained inconsistent.
The SEC proposed the amendments to combat these cyber disclosure practice inconsistencies. Under the new rules, disclosures must be comprehensive, accurate, and timely. Specific requirements addressed in the proposal are:
Mandatory Incident Disclosures
- Registrants must disclose material cyber incidents within four (4) business days (Form 8-K).
- Registrants are required to update previous incident disclosures as well as disclose when a sequence of formerly undisclosed immaterial cybersecurity incidents become material (New Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F)
- Registrants must issue disclosures under the newly added topic “cybersecurity incidents” (Added to Form 6-K).
Risk Management, Strategy, and Governance Disclosures
- Adding Item 106 to Regulation S-K and Item 16J of Form 20-F to require disclosure of:
- Policies and procedures to identify and manage cybersecurity risks and threats.
- Whether a registrant considers cybersecurity part of business strategy, financial planning, and capital allocation.
- Management’s role in cybersecurity policy and procedure implementation.
- Board of directors’ cybersecurity expertise and its oversight of associated risk.
- Updates about previously reported cybersecurity incidents.
- Amending Item 407 of Regulation S-K and Form 20F to require:
- Annual reports and proxy filings containing the names from board of directors who have expertise in cybersecurity, as well as details to outline the extent of their expertise.
- Requiring cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).
The public comment period for the proposed amendments will remain open for 60 days following publication of the release on the SEC's website, or 30 days after publication of the release in the Federal Register, whichever period is longer. Click here to read the full proposal.
Based on the federal government’s swift actions this year alone tackling the risk that cybersecurity poses to all sectors, it is a safe assumption that this trend will continue to gain footholds in other places during the coming months.
Anticipated SEC Actions
In his January 24, 2022 speech, Gensler cited four groups the SEC intended to target with cybersecurity policy:
- SEC registrants in the financial sector (e.g., broker-dealers, investment companies, registered investment advisers, and other market intermediaries).
- Public companies.
- Service providers that work with SEC financial sector registrants but may not be registered with the SEC themselves.
- The SEC proper.
This year, the SEC already addressed part of group one (investment companies and investment advisers) and all of group two (public companies)—and it is only March. Gensler and his colleagues are moving at an expedited pace, and based on his March 9, 2022 call for the Commission to propose additional recommendations for broker-dealers, Regulation Systems Compliance Integrity (SCI), and intermediaries’ requirements regarding customer notices (Regulation S-P), it is likely we will see new propositions to check off the rest of group one in Q2.
Groups three and four may come later in the year. Although, it is likely the SEC is already carrying out internal initiatives in alignment with United States’ President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity. As for group three, the SEC is likely considering the best course of action to reach these non-registered entities. In his January 24 speech, Gensler hints that these actions may include measures such as:
- Requiring registrants to identify their key service providers, such as cloud providers, investor reporting systems, middle-office service providers, and others.
- Holding registrants accountable for service providers’ cybersecurity measures pertaining to information protection and access control.
Takeaway: the next entities that should be on alert for cybersecurity rules and amendments are broker-dealers, market intermediaries, and key service providers including but not limited to cloud providers, investor reporting systems, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and data services.
Other Groundbreaking Federal Mandates in the Digital World
On the same day the SEC voted on the new cybersecurity amendments for public companies, President Joe Biden signed an executive order regarding government oversight of cryptocurrency. The execution of the order occurred amidst increasing concerns that Russia might potentially use cryptocurrency to skirt around substantial economic sanctions resulting from the Ukrainian invasion on February 24, 2022.
While assured by deputy security and economic adviser, Daleep Singh, that cryptocurrency is not a viable solution for sanction avoidance, the order presents some historical firsts. Under the order, the Treasury Department alongside other agencies will study cryptocurrency’s influence on financial stability and national security, as well as explore the pros and cons to digital assets such as a national digital currency.
How ACA Can Help
ACA Aponix® can help your firm develop, implement, and maintain the required information security program to meet the SEC's evolving regulatory requirements. Learn more about our solutions here.
For questions about this alert, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us.