The information disclosed by companies under this rule would be submitted in eXtensible Business Reporting Language (XBRL) to be made broadly available to market participants for comparison, filtering, and analysis.2 This is important to the board from both a compliance and a shareholder value perspective. It’s an opportunity for a company to differentiate itself from competitors through its cultural and infrastructure investments in IT security.
The March 9, 2022, SEC proposed rules for publicly traded companies supplement the SEC’s guidance of October 13, 2011, and February 26, 2018, regarding disclosure of cybersecurity breaches and incidents. It makes the requirements more comprehensive, including reporting on:
Cybersecurity incidents and updating incidents previously reported.
This would require the board to become more aware of and involved in the company’s cyber risk posture. The chief information security officer (CISO) is best positioned to enable the board in this regard. The SEC guidance encourages the board to seat directors with cybersecurity expertise and perhaps stand up a cybersecurity committee.
Reporting of cyber incidents including breaches is the focus of the existing SEC rules. The proposal expands this to require reporting within four business days of the date that the company determines it to be material. Included in the reporting is when the incident is discovered, if it is ongoing, the scope, if data was stolen or accessed, its effect on operations, and the status of remediation.
The scope of reportable incidents would be expanded to include those smaller incidents, which, in the aggregate, become material.
The term “material” is defined as whether a reasonable shareholder would consider it important, leaving some room for interpretation.
The proposal requires that the company update its reporting on an incident with any material changes in its quarterly or annual report.
This makes it all the more important that companies have tools in place to prevent attacks and minimize time to detection, like Microsoft 365 Defender and Microsoft Sentinel. They need to minimize the impact of a breach. A data breach may be reportable to regulators and customers or a minor incident dealt with by the security team. The company needs the tools, like Microsoft Purview Premium Audit, to know which. Without the right tools in place before the incident, a company may have to do more reporting to regulators and the marketplace than is necessary.
Companies would be required to disclose if they have a cybersecurity risk assessment program and to describe it. This includes how the company works with auditors, consultants, and other third parties.
They would be required to describe how they protect, detect, and minimize the effects of cybersecurity incidents. They would describe their cybersecurity policies and procedures, including business continuity and disaster recovery. They would describe how they select, retain, and use third parties to enable these activities and also how cybersecurity considerations affect the selection of service providers. They would describe how past cybersecurity incidents have influenced these as lessons learned.
How the selection of partners, including cloud service providers, affects the company’s security posture would be communicated to the marketplace. The company needs information to assess this and ensure that the vendor is a good security partner throughout the relationship.
Microsoft provides the service trust portal to give our customers the third-party assessments and evidence they need to make informed decisions and to support them during assessments and audits. We provide information for Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 customers to help comply with a wide range of global, regional, industry, and government regulations with our Microsoft compliance offerings documentation. For customers to assess their compliance with more than 350 regulatory standards in Microsoft 365, we offer Microsoft Purview Compliance Manager. For Azure customers, Microsoft provides the Regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds.
Companies would be required to describe how cybersecurity incidents have or might in the future affect their operations and financial performance and how these risks are dealt with as part of the company’s business planning.
This aligns with corporate governance scoring that credits companies for the investment, planning, and expertise in IT security. It provides an increased return on a company’s cultural and infrastructure investments in IT security.
Companies would disclose their cybersecurity governance including a description of both how the board and how management provide oversight, assess, and manage cybersecurity risk. They would describe management’s cybersecurity expertise and role in cybersecurity for the company.
Companies would disclose each board member with cybersecurity expertise and describe it under the proposed rule. The proposed rule is not prescriptive as to what constitutes expertise. It provides some examples such as experience in information security, policy, architecture, engineering, incident response, certifications, or degrees.
This may encourage organizations to select directors with these skill sets. It may also encourage a company to stand up a cybersecurity committee within the board.
This will likely mean that the CISO will be enabled to advocate for the needs of the information security program, and communicate the security posture and plans to an informed audience. It may provide opportunities for cybersecurity professionals to serve on boards.
Whatever the final content of the SEC rule, it will be an opportunity for the CISO to increase and highlight the value of the IT security function. It will expand the scope of their communications with the board. It will supplement the business case for investment in IT security. By making information on a company’s cybersecurity posture and governance broadly available, stakeholders can make better-informed decisions about cyber risk. This helps transition IT security from a cost center to a business enabler where it belongs.