*Updated February 9th 2023*
A couple of months ago, the SEC (US Securities and Exchange Commission, not the collegiate sports conference) announced proposed changes that will impact all companies. In short, all publicly traded companies must have a process in place to disclose cybersecurity incidents and more importantly, must actively identify and manage cybersecurity risks with board of directors’ oversight. While some organizations have already undergone this journey, we expect that numerous companies are late to the party and haven’t begun to determine what this means to them.
For our Canadian readers: While you may not be directly impacted by the SEC changes, the Canadian government is working on legislation to compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties, so you aren’t exempt!
Impact to Private Companies
The SEC highlights companies’ increasing reliance on third party service providers for information technology services as one of the reasons cybersecurity risks have increased. The proposed definition of information systems by the SEC is ‘information resources owned or used by the registrant’, so any private companies who provide services for public companies will likely need to be scrutinized as well. We expect that this will likely become the de facto standard for all organizations, public or private.
Flash back to how the SEC forced financial folks into the boardrooms about twenty years ago when accounting improprieties fueled U.S. legislation known as The Sarbanes-Oxley Act (SOX). The SEC changes will similarly force CISOs into the boardroom to help ensure that their companies are not only financially sound but also reasonably secure. This evolution has been a long time coming as in my opinion; companies owe this accountability to their shareholders by demonstrating that they’ve exercised reasonableness as it pertains to protecting company assets.
Given the SEC’s focus on cybersecurity over the past several years combined with the fact that cybersecurity has become a regular boardroom topic, the likelihood of the proposed rules being adopted is quite high.
"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," said SEC Chair Gary Gensler. "Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting."
How to Prepare?
First and foremost, if you don’t have a CISO, it’s time to have someone take on that role. Not only will this individual need to have a strong understanding of the business (and critical assets), but they will also need to be able to understand cybersecurity/technology so that they can effectively communicate risk at the executive/board level. For many smaller or mid-sized organizations, it may make sense to bring in a fractional (part-time) CISO if the role isn’t big enough for full-time.
This will have a profound impact on reporting structure – I’ve always thought that organizations are making a critical mistake when the CISO reports to the CIO or CTO as the CISO should be independent of them, though of course should be able to work hand-in-hand. Given that we’ve performed in the vCISO capacity for dozens of clients, feel free to reach out to use us as a sounding board to help strategize.
Stay tuned for more information about how to best prepare your organization for the SEC changes in upcoming posts. In the meantime, whether you’d like to have a high-level strategy call or just commiserate (or both!), we’re happy to set up a meeting to discuss the journey.