Have you read the Proposed SEC Cybersecurity rule (links below)?
Here are the 5 things you can do NOW to prepare for the proposed sec cybersecurity rule anticipated around April 2023.
Get Familiar with SEC Reporting Requirements and the Upcoming Changes
Start building or augmenting current plan(s) to a Cybersecurity Board-Level Risk-Driven Strategy
Begin formalizing your Cybersecurity preparation/enhancements
Document your Cybersecurity Management
Begin a hunt for a Cybersecurity Board Member
As a preliminary step, get familiar with the types of documents and forms that are used for SEC reporting. Many cybersecurity professionals are not business trained so now is the time to get some exposure. This is the list of items that are being amended or added according to the proposed ruling so we are recommending starting here:
If you are the head of a security team and the responsibility falls on you to get ready, follow these five steps and you will be able to develop the needed acumen along with appropriate Cybersecurity plans.
Step 1) Get Familiar with SEC Reporting Requirements and the Upcoming Changes
Learn how to read an 8-K. An 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to the shareholders or the Securities and Exchange Commission (SEC). Also known as Form 8K, the report notifies the public of events, including acquisitions, bankruptcy, the resignation of directors, or changes in the fiscal year. Form 8-K is being amended to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident:
Here is an explanation of how to read an 8-K (https://www.sec.gov/files/readan8k.pdf)
Here is an example 8-K focused on a Cybersecurity incident (https://www.sec.gov/Archives/edgar/data/0000808450/000119312521183688/d13020d8k.htm)
These are samples of the types of Cybersecurity incidents that may require disclosure (non-exclusive list) according to the proposed rule:
An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data
An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems
An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant
An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data
An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered
Forms 10-Q and 10-K are being amended to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, as specified in proposed Item 106(d) of Regulation S-K. These forms will be amended to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents have become material in the aggregate.
This is Form 10-Q (https://www.sec.gov/files/form10-q.pdf)
Form 10-K is being amended to require disclosure specified in proposed Item 106 regarding:
This is Form 10-K (https://www.sec.gov/files/form10-k.pdf)
These are samples of what types may require disclosure (non-exclusive list) according to the proposed rule
A registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks
A registrant’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks
Management’s role, and relevant expertise, in assessing and managing cybersecurity-related risks and implementing related policies, procedures, and strategies
Item 407 of Regulation S-K is being amended to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise. The 2018 Interpretive Release clarifies that a company must describe how the board administers its risk oversight function to the extent that cybersecurity risks are material to a company’s business, including a description of the nature of the board’s role in overseeing the management of such risks.
This is the current Item 407 S-K so you can see how this data is typically presented (https://www.sec.gov/divisions/corpfin/guidance/execcomp407interp.htm)
Form 20-F is being amended to require foreign private issuers (“FPIs”) to provide cybersecurity disclosures in their annual reports filed on that form that are consistent with the disclosure that we propose to require in the domestic forms; Item 16J that would require FPI to include in its annual report on Form 20-F the same type of disclosure that we propose in Items 106 and 407(j) of Regulation S-K and that would be required in periodic reports filed by domestic registrants. One difference is that while domestic registrants would be required to include the proposed Item 407(j) disclosure about board expertise in both their annual reports and proxy or information statements, FPIs are not subject to Commission rules for proxy or information statement filings and thus, would only be required to include this disclosure in their annual reports.
This is Form 20-F (https://www.sec.gov/files/form20-f.pdf)
Form 6-K is being amended to add “cybersecurity incidents” as a reporting topic; and
This is the current Form 6-K (https://www.sec.gov/files/form6-k.pdf)
Require that the proposed disclosures be provided in Inline XBRL.
This link will explain Inline XBRL (https://www.sec.gov/structureddata/osd-inline-xbrl.html)
Step 2) Start building or augmenting current plan(s) to a Cybersecurity Board-Level Risk-Driven Strategy
Create or augment your existing plan(s) so that they offer your company a “snap-shot” of your security program effectiveness and maturity empowering you to make informed decisions about your risk-based approach and corollary budget requirements. CISOs we speak with believe this can take 6-9 months+ to transition to this new model; if you want a short-cut call Emagined Security! (See Emagined’s One Clear Path for additional details: https://www.emagined.com/one-clear-path-cybersecurity-framework) A Cybersecurity Board-Level Risk-Driven Strategy can help avoid the unnecessary investment of time and resources by:
Benchmarking areas of the program that are operating well and those areas that are not enabling you to focus greater attention to the areas of need while documenting “steady state” mode for well-tuned operations
Analyzing current maturity versus desired maturity levels
Measuring operational impact balance between people, process, and technology
Empowering you to establish the appropriate roadmap and budget to support and defend the chosen direction
Graphically depiction of risk versus current and desired budget levels to maximize impact to the largest audience
Step 3) Begin formalizing your Cybersecurity preparation/enhancements
Formalize your preparations to meet the upcoming required Cybersecurity program disclosures, as applicable, based on proposed Item 106(b) of Regulation S-K. We have detailed the recommendations for each of the Proposed Rule’s Cybersecurity program’s disclosure requirements:
The registrant has a cybersecurity risk assessment program and if so, describe such a program
Formalize a risk assessment program based on an industry standard such as NIST’s Risk Management Framework (RMF) and fully document the process. You can read the RMF here: (https://csrc.nist.gov/projects/risk-management/about-rmf)
The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program
Create an evidence archive of reports received from assessors, consultants, auditors, or other third parties—document corrective actions and Plans of Action and Milestones (POAMs) to demonstrate due diligence. Begin creating a summary statement that can be used in the future to demonstrate the effectiveness of the RMF program.
The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers
Document your Third-Party Risk Assessment program. Identify all Third Parties who have access to the registrant’s customer and employee data. Create an evidence archive of reports and results of the review of Third Parties of providers with access to this sensitive data.
The registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents
Document your Threat Management program detailing your Cybersecurity tools, people, and processes. This should include what your organization does for Security Event Management, Threat Intelligence, Incident Management, Intrusion Detection, Application & Network Penetration Testing, Application & Network Vulnerability Management, Malware Prevention, Security Host Hardening, and Patch Management.
The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident
Document your cybersecurity incident business continuity, contingency, and recovery plans detailing the associated Cybersecurity tools, people, and processes. This should include a Cybersecurity Business Impact Analysis, Business Continuity Planning, Disaster Recovery Planning, and Backup details with a focus on achieving uptime and recovery timelines.
Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies
A Cybersecurity program should incorporate lessons learned from prior incidents and support the following areas: Executive Sponsorship, Strategic Planning, Security Charters, Information Security Policies, Security Awareness & Training, Information Classifications, Asset Management, Brand Protection, and more
Cybersecurity-related risks and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how
The Risk Management Program should measure realized and potential incidents associated with the likelihood of realization.
Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how
Data from the above areas should be used to perform actuarial-type calculations that can then be used to feed the registrant’s business strategy, financial planning, and capital allocation. This data should be used to perform business risk and financial risk calculations. This data can be used to support board-level meetings with information regarding Potential Incident Losses.
Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how
Data from the above areas should be used to perform actuarial-type calculations that can then be used to feed the registrant’s business strategy, financial planning, and capital allocation. This data should be used to perform business risk and financial risk calculations. This data can be used to support board-level meetings with information regarding Potential Incident Losses.
This is the type of information the Cybersecurity Board Member will use to acquire support and funding to enhance the security program detailed during Step 2.
Step 4) Document Cybersecurity Management
Now you are required to toot your own horn. Document your management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies. You will need to detail out items such as:
Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members
Whether the registrant has a designated chief information security officer or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons
The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of the cybersecurity incident
Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk
Step 5) Begin a hunt for a Cybersecurity Board Member
As you are hiring your boss, you want to make sure that you take the time to find a Cybersecurity Board Member that can balance your cybersecurity needs and budgets and have realistic expectations. Individuals like these are unicorns and will be in high demand. There are a limited number of business-trained Cybersecurity professionals as most Cybersecurity professionals come from technical backgrounds and have not been trained in the business.
The Cybersecurity Board Member must have expertise covering different Cybersecurity experiences and skills including the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:
Whether the director has prior work experience in cybersecurity, including, for example, experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner
Whether the director has obtained certification or a degree in cybersecurity
Whether the director has the knowledge, skills, or another background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture, and engineering, security operations, incident handling, or business continuity planning
This is what we do. Reach out to Emagined Security and we can start working with you right away in preparing for the upcoming U.S. Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. Don’t let your stock value drop by being unprepared for the upcoming SEC Cybersecurity Rule.