Key takeaways from the SEC interpretive guidance
17th December 2021
This is the fourth article in a four-part series discussing the involvement of the US Securities and Exchange Commission (SEC) in the ongoing and ever-evolving cybersecurity landscape. This article covers key takeaways from the SEC interpretive guidance and the outlook of future SEC cybersecurity initiatives.
Amidst a global surge in cyberattacks, the US Securities and Exchange Commission (SEC) is expected to soon release a rule proposal aimed at providing investors with increased cyber-risk transparency. Specifically, the SEC will likely outline requirements for how companies should address both cyber-risk management and incident disclosure.
Earlier this year, in a speech to the European Parliament Committee on Economic and Monetary Affairs in September 2021, SEC Chair Gary Gensler said that the pending rule proposal will likely address “cyber hygiene and incident reporting.” After the proposal is released, the SEC is expected to invite industry participants to provide comments before any rule is finalized. However, firms eventually will need to re-examine and, in some cases, adjust their cyber-risk management and disclosure practices once the rule takes effect.
The SEC has approached cybersecurity issues in recent years through a combination of enforcement actions and rulemaking. In 2018, the SEC released updated guidance on public company cybersecurity disclosure requirements. This guidance highlighted the importance of comprehensive cyber policies and procedures, with a focus on timely disclosure of material cyber risks and incidents. The 2018 guidance was a driven by a series of high-profile cyber incidents at companies in which senior leaders delayed notifications of cyber-compromises. Under the 2018 guidance, companies are required to consider materiality when making disclosures and acknowledge how company leaders manage cyber risk so that investors can make informed decisions.
Actions to be Taken
The SEC’s 2018 interpretative guidance can provide leadership at public companies with insights into the anticipated new rule. The SEC likely will address weaknesses and loopholes in the 2018 guidance, and will bolster potential deficiencies, such as alignment of cyber to financial risk. While public companies wait for the specifics of the rule, they can take proactive steps to prepare for it in the interim.
To start, companies should examine cyber risk in the context of business, operational and financial impact by evaluating the materiality of potential exposures. Referring to the SEC’s 2018 guidance will provide public companies with some criteria with which to make this determination. Understanding whether a cybersecurity risk and incident is material depends on the nature and magnitude of the risk and incident, along with its potential financial, reputational or operational ramifications.
Next, companies should strengthen their internal policies and procedures. Developing efficient cybersecurity risk management plans, policies and procedures allows for improved risk mitigation. Specifically, the SEC’s 2018 guidance elaborates how these policies should include clear instructions for identifying and elevating information so that senior leaders and key stakeholders may adequately disclose any potential cybersecurity incident and risk.
Finally, the board of directors has a role in overseeing the disclosure of cybersecurity risks that are material to a company’s business. Board members should be encouraged to focus on the following cyber risk areas:
- What risk will we not accept?
- What are the risks we need to take?
- What risks are stakeholders willing to bear, and to what level?
- What resources are required to manage those risks?
- Do we fully understand the effectiveness of our risk management efforts and effectively harmonize our spending on risk controls aligned to financial impact?
- Do we measure cyber risk in economic and business terms and report to senior management and the board in a timely fashion?
- Are we effectively managing our risk, with appropriate protocols in place, relative to the company risk profile?
This series of articles is provided courtesy of HKA Global, Inc. (HKA), one of the world’s leading privately owned, independent providers of consulting, expert, and advisory services for the construction, manufacturing, process, and technology industries. HKA’s global portfolio includes prestigious projects on every continent and in varied market sectors.
Christopher Hetner works closely with HKA to provide strategic advice on cybersecurity issues, but he is not an employee of HKA. The opinions expressed in this article are the views of the author alone and should not be attributed to any other individual or entity. This article is intended for general educational purposes only—it does not constitute legal, accounting, insurance, or other professional advice, and it should not be relied upon as the basis for your business decisions.
This publication presents the views, thoughts or opinions of the author and not necessarily those of HKA. Whilst we take every care to ensure the accuracy of this information at the time of publication, the content is not intended to deal with all aspects of the subject referred to, should not be relied upon and does not constitute advice of any kind. This publication is protected by copyright © 2024 HKA Global Ltd.