The Securities and Exchange Commission (SEC) was not created to regulate technology, yet their cybersecurity proposals could seriously impact your organization. How did an agency founded to stabilize financial markets in the post-Depression era become involved in cybersecurity? More importantly, are you prepared for their cybersecurity proposals or is your organization at risk of being blindsided?
The SEC, from Depression-era stabilizer to digital regulator
The SEC was created nearly a century ago, with the goal of ensuring there would never be another market crash like the one in 1929. The agency was formed as a result of two Congressional Acts, the Securities Act of 1933 and the Securities Exchange Act of 1934. Within these combined 440 pages of legislation, the SEC was given a three-part mission to:
- Protect investors
- Maintain fair, orderly and efficient markets
- Facilitate capital formation
So how did the SEC, an agency established 40 years before the first home PC, get into modern cybersecurity regulation? The agency’s foray into information security did not occur during the rise of the internet or the dot-com bubble, but is a fairly recent phenomenon. In 2011 the SEC issued non-legislative guidance advising companies to disclose cyber incidents that met certain conditions. Starting in 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) began publishing cybersecurity industry reports and risk examinations.
In 2017 the agency issued a release stating “The Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants … are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.” This statement marks a distinct shift from the previous years when the agency performed generalized surveys and spoke broadly about data security.
Last February, SEC Chair Gary Gensler, announced new cybersecurity proposals governing registered investment advisers and funds. During his announcement he stated “Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets.”
Gensler’s statement indicates that the agency considers cybersecurity regulation as part of its purview under the broader mandate of protecting investors and maintaining orderly markets. This means any organization that files with the SEC should prepare to address their proposed cybersecurity requirements now.
What are the SEC’s cybersecurity proposals?
The SEC released a lengthy document outlining its cybersecurity proposals in March 2022. Their guidance focuses on the disclosure of cybersecurity incidents, risk management strategy, and governance. Specifically, the proposals require organizations to publicly disclose cybersecurity incidents within four days. Companies must also provide information on cybersecurity risk management policies, threat monitoring, and the role of management and governance in implementing and overseeing security procedures.
Several private companies left public comments on the proposal, many challenging the four-day cyber incident reporting timeframe. One concern is that trying to generate a report could interfere with ongoing remediation efforts. Other businesses argue that finding useful information to disclose will take longer, or that releasing incomplete information may do more harm than good.
What sort of information is the SEC looking for? Organizations will be asked to file a Form 8-K incident report describing:
- The discovery time and current status of the incident
- The scope and nature of the incident
- Information that was stolen, accessed, altered, or otherwise used in an unauthorized manner
- Whether the incident is remediated or being actively addressed
The SEC acknowledges that a cybersecurity incident report may be largely incomplete after four days. Yet, it reminds organizations that “...the potential benefits of delaying the reporting of such cases do not outweigh a registrant’s obligation to provide investors with timely information.” This no-nonsense approach has the potential to put companies in a bind. When exactly is a cyber event deemed to be an incident? Who gets to make that determination? What are the legal implications of releasing incomplete or ultimately inaccurate information to the public?
Additionally, the annually-reported SEC Form 10-K is slated to include sections on cybersecurity risk management and strategy. Organizations will be asked to identify steps they have taken to address operational risks, intellectual property theft, fraud, privacy violations, and other dangers. Companies must also detail cybersecurity risk assessment programs, vulnerabilities associated with third-party vendors, recovery plans, and other security-related information.
The governance portion of the annual SEC report focuses on how cybersecurity is handled at the management and board level. Specifically, it will ask who is responsible for overseeing cybersecurity risks. The SEC will seek information on how the board is informed of risks, the frequency of security discussions, and how cybersecurity fits with the overall business strategy. There will also be a section for companies to disclose management policies that delegate security responsibilities and govern reporting procedures.
Representatives from Crowe LLP voiced concern over wording in the proposed regulations, noting that “The Proposed Rule's definitions of "cybersecurity incident" and "cybersecurity threat" might lead to inconsistent application, and the SEC might consider how the definitions could be enhanced, including by referencing specific glossary definitions.” The letter stated that imprecise cybersecurity definitions and the provision that “any” affected information be disclosed created an extremely broad requirement. The company also questioned whether the four-day reporting requirement was feasible, and if its potential benefits outweighed its negative impacts on the investigative process.
A letter signed by the Cyber Initiatives Group, which includes members from Microsoft, the NSA, the CIA, and others, was supportive of the proposals, stating:
We believe that the goals of requiring current reporting about material cybersecurity incidents, as well as periodic disclosures regarding (1) a registrant’s policies and procedures to identify and manage cybersecurity risks, (2) management’s role in implementing cybersecurity policies and procedures and (3) the board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, are appropriate and are likely to enhance the cybersecurity posture of registrants. (p. 2)
Several respondents also submitted lengthy replies voicing support for some aspects of the SEC proposals and concerns over others.
How does this affect me?
Board directors view regulatory noncompliance as the number one source of business risk. The danger of violating security regulations only grows as more government bodies scramble to get involved with cybersecurity. For example, President Biden issued an executive order recommending a zero trust approach in May 2021, then signed two new cybersecurity laws in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) is working on its own cybersecurity incident reporting regulations. The National Conference of State Legislatures (NCSL), which tracks state-level legislation, reports over 260 cybersecurity bills proposed this year.
Organizations that do not stay informed or participate in the regulating of cybersecurity may find themselves unable to keep up with government requirements. Trying to meet regulatory responsibilities while defending against sophisticated threat actors is a monumental task that will only become more difficult moving forward. Fortunately, there are security services available from reliable vendors that can ensure your infrastructure remains secure and government compliant.
If you are a cybersecurity decisionmaker who is interested in discussing this topic or other challenges facing tech executives, consider visiting CXOREvolutionaries.
What to read next
Fed agencies must empower CISOs as clock ticks to designate zero trust leads
The security risks of taking a stand
Disclaimer: This article has been created by Zscaler for informational purposes only and may not be relied upon as legal advice. We encourage you to consult with your own legal advisor with respect to how the contents of this document may apply specifically to your organization, including your unique obligations under applicable law and regulations. ZSCALER MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT AND IT IS PROVIDED “AS-IS”. Information and views expressed in this document, including URL and other internet website references, may change without notice.