In today’s digital world there is hardly an organization that does not depend on data or technology for its continued success. This dependency makes cybersecurity more important today than ever before. For this reason, a successful cybersecurity program rooted in risk management is a key element for public companies that want to protect themselves from emerging cyber threats and comply with the cybersecurity disclosure requirements of the U.S. Securities and Exchange Commission (“SEC”).
The SEC has highlighted the importance of cybersecurity for several years. On March 26, 2014 then SEC Chair Mary Jo White hosted a roundtable to discuss cybersecurity issues. She stated that “the SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.” A robust risk management program is central to ensuring compliance with the stated focus of the SEC. This article is the first in a series detailing how your public company can establish a robust risk-based cybersecurity program that meets SEC guidance and mitigate the threats from cyber attackers.
Public companies should note that in 2018 the SEC issued additional guidance regarding cybersecurity disclosures and which is a continuance of the guidance issued in 2011 by the SEC’s Division of Corporate Finance. The updated guidance provides additional clarification on the disclosure of material cybersecurity risks and addresses two topics not addressed in 2011, the importance of cybersecurity policies and procedures and insider trading prohibitions.
To meet the standards established in the latest guidance from the SEC, companies should inform investors about material cybersecurity risks in MD&A disclosures and update controls, policies and procedures related to cyber incidents and insider trading. Boards should also take note that the SEC believes that investors have a right to know about material cybersecurity risks that would impede an organizations ability to efficiently carry out its primary operations and overall business strategy. The SEC also makes it clear that the Board's oversight role in managing risk should include cybersecurity risks.
The guidance provided by the SEC can be generally organized into three main areas of focus:
- Identifying and disclosing material cybersecurity risks
- Disclosing material cybersecurity incidents
- Preventing insider trading during cybersecurity incidents
All efforts related to these functions require an effective cybersecurity program.
Material Cybersecurity Risks
Identifying material cybersecurity risks requires organizations to embrace a risk-based cybersecurity program which coordinates all activities. Such a process allows an organization to identify, assess and respond to threats based on their likelihood and potential impact on business functions. Building this capability starts with senior management communicating the risk tolerance of the organization, which will enable key stakeholders to allocate spending to reducing risk to an acceptable level. Several well-established frameworks are available to act as the basis of a cyber-risk program. The National Institute of Standards and Technology (“NIST”) developed a framework in 2014 based on industry standards and best practices. Since then, the NIST Cybersecurity Framework(“CSF”) has become one of the most widely accepted frameworks across the private sector and government.
The CSF consists of five core functions that allow organizations to develop an environment that addresses each dynamic element of cybersecurity risk. The first core function, Identify, helps public companies diagnose material cybersecurity risks. It is a foundational function that sets the stage for implementing a cybersecurity program rooted in risk management processes and a key component in meeting SEC cybersecurity disclosure requirements. The SEC requirement for disclosing factors that make investments in an organization’s securities risky or speculative include business-specific cybersecurity risk. One of the core aspects of the Identify function is to understand the business environment an organization operates in. That means knowing the people, technology, assets, data, and capabilities that are crucial to an organization’s success. This stage of the CSF is unique for each business. For example, cybersecurity risks impacting a publicly traded finance organization differ significantly from those of a publicly traded energy organization.
Material Cybersecurity Incidents
Disclosing material cybersecurity incidents requires organizations to first detect that an incident has occurred. This can be a difficult task if the organization has no visibility into what is happening in their environment. To obtain that visibility an organization must have an established incident response program that allows for monitoring, detecting, responding to and recovering from a cybersecurity incident. Implementing a robust incident response program begins with an incident response policy rooted in a cybersecurity risk assessment that has identified the threats and risks relevant to the organization. After all, how would an organization know what to monitor if it does not know the threats and risks to its environment? Here again we can look to the NIST for assistance. In addition to the Cybersecurity Framework, NIST makes available several publications to assist organizations in creating cybersecurity policies, procedures, and programs. This includes the Special Publication 800-61 Revision 2 Computer Security Handling Guide, which details a process for establishing an incident response capability for handling incidents efficiently.
The Computer Security Handling Guide can help you meet some of the SEC’s disclosure requirements. The key to reporting cybersecurity incidents is to detect them in the first place. NIST’s guide provides recommendations on how to properly implement a monitoring infrastructure to detect cybersecurity incidents. It can also help you develop an incident response process, which is key to reporting and subsequently disclosing relevant information to the appropriate parties, including regulatory organizations like the SEC.
Preventing insider trading during cybersecurity incidents involves a combination of policy implementation, technical monitoring and, potentially, enforcement action. The SEC makes it clear that corporate officers with inside knowledge of a cyber incident cannot engage in trading securities until the public disclosure of the incident. This effort first requires that policies addressing the situation are implemented and communicated to all affected parties. Next, a monitoring infrastructure should be in place to detect inappropriate securities trading. Depending on an organization's incident response program, this infrastructure may simply amount to an extension of security measures already in place. The documented process for responding to and disclosing material cybersecurity incidents can be extended to include incidents involving insider trading.
The SEC has provided interpretive guidance on preparing disclosures of cybersecurity risks and incidents. This guidance provides several examples on topics including the information to include and in what instances it should be reported. To meet these requirements, organizations need to establish cybersecurity programs rooted in risk management processes that identify risks as well as the procedures and processes to help mitigate them. These programs will not only help organizations meet their SEC obligations but will help keep them safe from emerging cyber threats. Remember, compliance is not itself a form of security, but it is a positive side-effect of a robust security program.
If you have any questions about your company’s cyber-security stature, risks or compliance requirements, contact a CyZen cybersecurity professional today.