BlogCybersecurity Risk & StrategySecurity Transformation
Blog • • 10 minute read

SEC Cybersecurity Disclosure Rules: How did we get here?

As businesses increasingly relied on digital technologies for their operations, customer interactions, and data storage, the risks associated with cybersecurity breaches also surged, impacting not just the operational aspects of businesses but also their financial health and the broader market.

The U.S. Securities and Exchange Commission (SEC) developed the cybersecurity disclosure rule in response to the growing significance of digital information and the internet in the operations and value of companies, alongside the escalating threats of cyber-attacks. This evolving landscape highlighted the need for investors to be informed about the cybersecurity risks companies face and how they manage them.

Protecting investors and the market:

The SEC's disclosure requirements were driven by the need to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. By requiring companies to disclose their cybersecurity risks and incidents, the SEC aimed to provide investors with critical information to make informed investment decisions. 

This move was also intended to encourage companies to adopt more robust cybersecurity measures, thereby reducing the risk of cyber incidents that could have significant adverse effects on their business and the broader economy.

This development reflects the SEC's recognition of cybersecurity as a critical corporate governance issue. It underscores the importance of transparency in how companies identify, assess, and manage cybersecurity risks in the digital age, ensuring that investors have a clearer understanding of the potential impact of these risks on their investments.

How does the SEC create rules?

The process the U.S. Securities and Exchange Commission (SEC) uses to create new rules is comprehensive, involving multiple steps designed to ensure transparency, public participation, and thorough evaluation of the potential impacts of proposed regulations. Here's an overview of the typical rulemaking process:

  1. Identifying the Need for Regulation: The process often begins with identifying a problem or opportunity that may require new or amended regulation. This can come from various sources, including legislative mandates, executive orders, court decisions, or issues identified by the agency itself or stakeholders.
  2. Preliminary Analysis and Planning: The responsible agency conducts initial research and analysis better to understand the issue, potential solutions, and impacts. This phase may involve informal stakeholder engagement to gather input.
  3. Notice of Proposed Rulemaking (NPRM): Once the agency decides to proceed, it issues a Notice of Proposed Rulemaking (NPRM) in the Federal Register. The NPRM includes the text of the proposed rule, a rationale for the rule, and information on how the public can submit comments.
  4. Public Comment Period: After publishing the NPRM, the agency opens a public comment period, allowing individuals, businesses, organizations, and other stakeholders to submit feedback on the proposed rule. This period typically lasts 30-60 days but can be longer for complex regulations.
  5. Review and Analysis of Comments: Once the comment period closes, the agency reviews and analyzes all comments received. This process can be time-consuming, especially for regulations that generate significant public interest.
  6. Final Rule: The agency may revise the proposed rule after considering public comments. It then publishes a Final Rule in the Federal Register, along with a response to significant comments and an explanation of any changes from the proposed rule. The Final Rule also includes the effective date of the regulation.
  7. Compliance and Enforcement: Once the rule is final and practical, the agency oversees its implementation, which may involve issuing guidelines, conducting outreach, and taking enforcement actions as necessary.
  8. Judicial Review: After a final rule is published, affected parties may challenge it in court. Courts generally defer to the agency's expertise but will review whether the rule is within the agency's statutory authority and whether the rulemaking process complied with the APA and other legal requirements.

This process ensures that rulemaking is transparent, participatory, and based on a comprehensive analysis of the proposed rule's potential impacts. Agencies may also issue guidance documents or interim rules under certain circumstances, which can be faster but may have a different formal public comment process.

How long has the SEC been working on Cybersecurity issues?

Cybersecurity issues first appeared on the SEC's radar significantly in 2011, when the SEC's Division of Corporation Finance issued guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. 

This guidance was one of the earliest formal acknowledgments by the SEC that cybersecurity posed severe risks that could affect investors, the markets, and public companies.

 It highlighted that cybersecurity risks and incidents could have significant consequences on a company's operations and financial results and therefore, should be disclosed to investors if they represent material risks.

This 2011 guidance marked a pivotal moment, signaling the SEC's recognition of the growing importance of cybersecurity in the corporate and financial landscape. It sets the stage for subsequent actions and further emphasizes the need for robust cybersecurity risk management and disclosure practices among publicly traded companies.

What is the intent behind the disclosure rules?

The intent behind the SEC's cybersecurity guidance is multifaceted, aimed at protecting investors, promoting fair and efficient markets, and facilitating capital formation through enhanced transparency and disclosure. The primary goals of the guidance can be summarized as follows:

  1. Investor Protection: By requiring companies to disclose material information about cybersecurity risks and incidents, the SEC aims to ensure that investors have the information required to make informed decisions. This information helps investors assess the potential impact of cybersecurity issues on a company's financial performance, operational capabilities, and overall risk profile.
  2. Market Integrity and Efficiency: Transparent disclosure of cybersecurity risks and incidents helps maintain the integrity and efficiency of the markets. It enables investors to compare companies more accurately based on their cybersecurity risk management practices and the potential impacts of cyber incidents on their operations. This transparency supports fair and efficient securities pricing, reflecting the actual value and risks associated with companies.
  3. Promoting Better Risk Management: The guidance encourages companies to adopt comprehensive cybersecurity risk management policies and procedures. By highlighting the importance of disclosing cybersecurity risks and incidents, the SEC indirectly motivates companies to strengthen their cybersecurity defenses and resilience to protect shareholder value and corporate reputation.
  4. Harmonization of Disclosure Practices: The guidance aims to create a more standardized approach to how companies disclose cybersecurity risks and incidents, promoting consistency and comparability across filings. This standardization helps investors better understand and evaluate how companies manage and mitigate cybersecurity risks.
  5. Legal Compliance and Corporate Governance: The guidance serves as a reminder of companies' legal obligations to disclose material information that could affect investment decisions. It also underscores the role of cybersecurity in corporate governance, emphasizing the responsibility of boards and management to oversee and manage cybersecurity risks as part of their broader duties to protect shareholder interests.

In essence, the SEC's cybersecurity guidance reflects a recognition of the critical importance of cybersecurity in today's digital economy and the need for a regulatory framework that promotes transparency, accountability, and proactive risk management in this area.

Is there any connection between the SEC disclosure regulation and the new NIST CSF 2.0?

Today, we can see the connection between the SEC's cybersecurity guidance and the emphasis on governance in the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0. 

The SEC's guidance and NIST's framework are part of broader efforts to enhance cybersecurity risk management and resilience within organizations, particularly in the context of increasing cyber threats and their potential impact on business operations and the economy.

The SEC's cybersecurity guidance focuses on disclosing material cybersecurity risks and incidents to investors, highlighting the importance of cybersecurity governance in ensuring that these risks are appropriately identified, assessed, managed, and communicated. This guidance underscores the role of senior management and boards in overseeing cybersecurity risk management practices, aligning with corporate governance principles.

Similarly, the NIST Cybersecurity Framework 2.0, an update to its widely adopted set of cybersecurity standards and best practices, strongly emphasizes governance

This includes integrating cybersecurity risk management into organizational governance structures and processes. The framework encourages organizations to establish clear cybersecurity policies, assign roles and responsibilities for cybersecurity within the organization, and integrate cybersecurity considerations into risk management and decision-making processes.

The connection between the two lies in their mutual recognition of governance's critical role in effective cybersecurity risk management. Both advocate for a top-down approach where leadership involvement is crucial for setting the tone, allocating resources, and ensuring cybersecurity measures align with the organization's objectives and risk appetite. 

While the SEC's guidance is geared explicitly towards public companies and their disclosure obligations, the NIST Framework provides a more general set of guidelines applicable to organizations of all types and sizes, aiming to improve their cybersecurity posture. Together, they reinforce the importance of governance in managing cybersecurity risks in today's digital and interconnected environment.

Cybersecurity governance is not just a technical necessity but a strategic imperative supporting an organization's overall health, resilience, and success. It enables organizations to navigate the complex landscape of cyber threats, legal requirements, and technological changes, thereby safeguarding their assets, reputation, and future.

What are the Cyber leader's next steps?

A cybersecurity leader can leverage the new SEC regulations and the NIST 2.0 framework to overcome tribal or siloed organizational cultures and achieve unity of effort in several strategic ways. 

Here are some suggestions:

1. Establishing Clear Guidelines and Standards
  • Utilize SEC Regulations: Use the new SEC regulations to set a baseline for cybersecurity practices within the organization. These regulations can serve as an external authority that mandates certain cybersecurity behaviors, thus providing a clear rationale for change.
  • Adopt NIST 2.0 Framework: Implement the NIST 2.0 framework as the standard for cybersecurity practices. This framework can provide a structured and comprehensive approach to managing cybersecurity risk, which can help unify disparate teams around a common goal.
2. Enhancing Communication and Collaboration
  • Cross-Departmental Teams: Form cross-departmental teams to address specific cybersecurity challenges. These teams should include members from various silos within the organization, fostering a collaborative environment.
  • Regular Meetings and Updates: Schedule regular meetings to discuss cybersecurity efforts, share best practices, and update on the progress of implementing SEC regulations and the NIST framework. This can help maintain a focus on shared goals and foster a sense of unity.
3. Training and Awareness Programs
  • Cybersecurity Training: Develop and implement comprehensive cybersecurity training programs that align with the SEC regulations and NIST framework. Training should be mandatory for all employees, emphasizing the importance of cybersecurity and how individual efforts contribute to the organization's overall security posture.
  • Awareness Campaigns: Launch awareness campaigns to highlight the importance of cybersecurity and the role of the new SEC regulations and NIST framework in enhancing the organization's security. Use these campaigns to break down silos by showing how cybersecurity is a shared responsibility.
4. Leveraging Technology
  • Unified Security Platforms: Implement unified security management platforms that provide visibility across the organization. Such platforms can help break down silos by enabling a centralized view of the organization's cybersecurity posture.
  • Collaboration Tools: Utilize tools that facilitate communication and information sharing among different teams. This can help overcome physical and organizational barriers to collaboration.
5. Incentivizing Cooperation
  • Performance Metrics: Include cybersecurity goals in performance evaluations based on adherence to SEC regulations and the NIST framework. This can incentivize individuals and departments to align their efforts with organizational cybersecurity goals.
  • Recognition Programs: Establish recognition programs to acknowledge departments and individuals who excel in implementing cybersecurity measures and fostering a security culture.

Conclusion

By strategically leveraging the new SEC regulations and the NIST 2.0 framework, a cybersecurity leader can establish a unified approach to cybersecurity that transcends organizational silos. This approach requires clear communication, collaboration, training, technology use, and incentives to encourage participation and buy-in from all parts of the organization.

Here is a detailed list of the SEC disclosure requirements.