*By Carlos Borella
São Paulo/SP 5/17/2022 – In order to provide clearer guidance, on March 9, 2022, the SEC proposed rules focused on strengthening the cybersecurity posture. On March 9, 2022, the SEC proposed rules focusing on strengthening cybersecurity posture, applicable to more than 8,000 registrants. The proposal is designed to better inform investors about a registrant's risk management, strategy and governance, and to provide timely and structured notification should incidents occur.
The Securities and Exchange Commission (SEC) issues guidance related to Cyber Security. Since 2011 interpretive guidance has been released to registrants (listed companies), however disclosure practices were still inconsistent.
In order to provide clearer guidance, on March 9, 2022, the SEC proposed rules focusing on strengthening cybersecurity posture, applicable to more than 8,000 registrants. The proposal is designed to better inform investors of a registrant's risk management, strategy and governance, and to provide timely and structured notification should incidents occur (materials[1]) of cyber security, as well as allowing investors to properly assess their exposure.
Briefly, the SEC proposes that:
- Reports of (material) cyber security incidents must be documented using Form 8-K (Form 8-K[2]);
- Registrants must periodically disclose:
- Policies and procedures to identify and manage cyber security risks;
- Role of management in implementing cyber security policies and procedures;
- Board of Directors' cyber security experience, if any, and how it is performed/supervised;
- Updates on previously occurred/reported (material) cybersecurity incidents.
- Disclosures of cyber security incidents must be reported in Inline eXtensible Business Reporting Language (Inline XBRL)[3]).
Specifically regarding the disclosure of new incidents (material or otherwise), the following items were proposed:
- Registrants must disclose information about (material) cyber security incidents experienced by the organization within four business days (updates have been made to Form 8-K);
- Registrants provide update on previously undisclosed individually immaterial cyber security incidents which became material in the aggregate (updates were performed on Form 20-F);
- Inclusion of cyber security incident topic as a reporting topic (updates have been made to Form 6-K).
In addition to better structuring on the topic of incidents, the SEC proposed, on the part of registrants, improved and standardized disclosure on cyber security risk management, strategy and governance. In summary, the proposal presents: (updates were carried out on Form 20-F)
- Need to describe its policies and procedures, if any, for identifying and managing cyber security threat risks, including whether the registrant considers cyber security a part of its business strategy, financial planning, and capital allocation. Additionally, disclose the role and experience of the Board of Directors in cyber security and its performance in the assessment and management of cyber security risk, as well as in the implementation of cyber security policies, procedures and strategies;
- Requires disclosure, through annual reports, of board members' cyber security experience.
Finally, most of its registrants are large corporations that in recent years have created and implemented cyber security controls in their operations, which are required by market regulations (BC4893), national (LGPD) and international laws ( GDPR), frameworks and best practices (SANS, NIST), and even pressure from the market itself to gain a competitive advantage by obtaining a seal or certification related to the topic, such as an ISO 27001.
It is evident that this proposal made by the SEC with its registrants aims to: structure and standardize the disclosure of cyber security incidents, map the cyber security program and identify the level of knowledge of the Board of Directors regarding the central theme of the proposal ( cybersecurity awareness).
Certainly, all the actors involved only have benefits to reap, since such initiatives will foster greater maturity in cyber security of registrants and will present greater transparency and knowledge regarding the topic, for their investors.
[1] What defines the materiality of a cyber security incident? Registrants must develop internal protocols to objectively determine incident materiality. The SEC recommends that both quantitative and qualitative factors be considered, based on the nature, extent, and potential magnitude of harm from an incident. Additionally, an assessment of the costs associated with an incident, whether these exceed a certain financial threshold in reference to the company's general assets, equity, revenue or net income, or analyzing the impact the incident has or may have on business strategy, financial perspectives and financial planning.
[2] Form 8-K (Form 8-K) is a very broad form and one of the most used in the notice of material facts to investors arising from specific events that may be important to shareholders or the SEC.
[3] Inline XBRL is a structured data language that allows a single document to be readable by humans and/or computers.
References:
- https://www.sec.gov/files/33-11038-fact-sheet.pdf
- https://www.sec.gov/rules/proposed/2022/33-11038.pdf
— Carlos Borella is Partner, CEO, Cyber Leader at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
