Request A Consultation

SEC Proposes Cybersecurity Disclosures: What Your Business Needs to Know

April 21, 2022

By: Tim Marley, VP Audit, Risk & Compliance

SEA Changes

Enacted by Franklin D. Roosevelt’s administration, the SEA of 1934 granted the SEC broad authority to regulate all aspects of the securities industry. This Act closely followed the SEA of 1933, which was created and passed into law to protect investors after the disruptive stock market crash of 1929. The legislation outlined two priorities: to ensure greater transparency, accuracy, and less manipulation of the markets as a result of fraud. These laws served not only to add increased regulation in the markets but provided additional protection to investors, so that they could make more informed decisions about investments.

SEC Proposes Cybersecurity Disclosures: What Your Business Needs to Know Image

On March 9, 2022 the Securities and Exchange Commission (SEC) voted three-to-one to propose a targeted update to The Securities Exchange Act of 1934 (SEA). “S7-09-22: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” would require reporting about cybersecurity incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The proposed amendments: 

  • Require current reporting about material cybersecurity incidents on Form 8-K 
  • Require periodic disclosures regarding, among other things:
    • A registrant’s policies and procedures to identify and manage cybersecurity risks
    • Management’s role in implementing cybersecurity policies and procedures
    • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
    • Updates about previously reported material cybersecurity incidents
  • Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL)

These policies are consistent with the SEC’s stated interests to protect investors, maintain fair, orderly, and efficient markets – as well as facilitate capital formation. 

It’s clear the world we’ve stepped into in recent decades presents significant and fundamental changes to how business happens in an IT environment. It’s also clear that with this new technology comes new associated risks and therefore, new necessary  precautions.

The proposed response is meant to mitigate the fallout from possible failures in a high functioning, yet increasingly vulnerable global IT environments. 

These efforts while, potentially seen as increased red tape and heavy handed regulation, offer increased transparency, enhanced protections, structural resilience to attacks, and a nuanced understanding of risk. 

Maintaining Healthy Capital Markets

Wall Street opened May 17, 1792 – just a few years after the ink dried on the newly penned US Constitution, signaling a new era of business. The founding of the New York Stock Exchange, known as the Buttonwood Agreement, was a proportional response to the Financial Panic of 1792, which intended to regain the public trust in securities, and stabilize what, as a young nation, had been the country’s first financial crisis.  Throughout financial history, event response by governing institutions has aspired to react to both known and unknown environmental factors facing markets. 

This type of legislative prophylactic intends to protect the carefully orchestrated symphony of capital markets, and our national and global economy from radical disruptions. As history has shown, this symphony can periodically play off key or out of tune. 

The SEC’s recent proposal serves as another layer of protections to mitigate certain risks around cybersecurity management, strategy, governance and especially, incident disclosure. The proposal states the amended rules are intended to strengthen investors’ ability to assess public companies’ cybersecurity practices and to provide them with ‘timely’ notification should a cybersecurity incident take place. For a “major event,” disclosure should take place within four days. 

What Do Companies Currently Report to the SEC?

The Securities and Exchange Commission (SEC) requires public companies, certain company insiders, and broker-dealers to file periodic financial statements and other disclosures. Finance professionals and investors rely on SEC filings to make calculated and informed decisions when evaluating whether to invest in a company. SEC rules require public companies to file annual reports on Form 10-K and quarterly reports on Form 10-Q with the SEC on an ongoing basis. The new proposed SEC amendments would require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also would require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form. 

If your company qualifies as a “smaller reporting company” or an “emerging growth company,” it will be eligible to rely on scaled disclosure requirements for these reports.

Key Takeaways 

Consumer protection ranks as high priority within the regulatory scope of the Proposed rule, as it outlines the criteria for next steps companies should consider as they evaluate the effects it will have on their IT climate. The 129 page document provides a broad overview of 

  • Risk management and procedures
  • Increased understanding of cybersecurity at the board level
  • Oversight bodies specific to cybercriminal activity and cybersecurity
  • Incident response plans tied to forensics 
  • Routine logging and monitoring of activity

The impact will reach some 7,848 companies and 973 Foreign Private Issuers and the SEC estimates that somewhere in excess of $3 billion in cost for the additional filing requirements. 

Possible compliance burdens come with any system upgrades and companies who fail to see the value in a culture of cybersecurity will not only be held accountable by the SEC, they risk being thrown into the court of public opinion should a cybersecurity event occur. 

If your organization needs help navigating the cybersecurity landscape, please reach out to Cerberus Sentinel.

Cybersecurity Disclosures. Cerberus Sentinel specializes in cybersecurity solutions that build a culture of security within an organization, enabling them to improve security, lower risk profile, optimize IT infrastructure, and meet regulatory compliance demands with extensive and comprehensive compliance review. Our Philosophy – Cybersecurity is a culture, not a product®. We believe culture is the foundation of every successful cybersecurity and compliance program. To deliver this outcome, we developed MCCP+ our holistic approach that ensures you’re secure in every area of your business. We are a publicly traded cybersecurity company listed with ticker CISO. Cybersecurity Disclosures. A nationwide provider of consulting and managed services, with offices and resources across the USA, we specialize in building a culture of awareness for our clients. Founded with the belief that an acquisition approach is the best way to address the industry-wide skills gap. We are focused on cybersecurity, compliance, and the culture that drives success, acquiring world-class engineering talent who utilize the latest technology to create innovative solutions to protect even the most demanding businesses and governments against continuing and emerging threats. Cybersecurity Disclosures.