SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Schneider Downs)

Technology
May 19, 2023 - Schneider Downs & Co., Inc.


This is a thought leadership article by Han Jumashov and Michael Lorditch at PrimeGlobal member firm Schneider Downs.

The article explores the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.



“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend” states SEC Chair Garry Censler.

Indeed, the SEC’s proposed amendments and rules would take it a step further by enhancing standardized disclosure procedures related to cybersecurity risk management, strategy, governance, and incident reporting by public companies that are subject to the Securities Exchange Act of 1934.

The main component of the amendment, proposed in March of 2022, would be a requirement that mandates all public companies to disclose cybersecurity incidents within four business days once it has been determined material to the disclosing company.

This requirement contains specific additional and related conditions that are further outlined in the proposal. Hence, the new additions are meant to supplement forms 10-K and 10-Q in terms of providing investors with more timely information regarding registrants’ cybersecurity disposition.


What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies Mean?

In the words of SEC Chair Gary Gensler, the “SEC disclosure regime has evolved alongside the evolving risks and investor needs”. More specifically, however, the core of the proposal is around item 1.05 dedicated to Form 8-K filing which would mandate companies to not only disclose a material cybersecurity incident within 4 business days but also provide additional details about the incidents; details such as whether the incident is ongoing, date of occurrence, whether the incident has caused data loss (including but not limited to unauthorized access, theft, and alteration of data), and whether an entity was able to remediate the incident.

Furthermore, the 106(d) Regulation S-K of the amendment to forms 10-Q and 10-K would now require companies to disclose information regarding any previous cybersecurity incidents and whether they have been determined to be material.

Another notable amendment among many would be Item 407 of regulation S-K that would mandate companies to disclose their board of director members’ cybersecurity experience, should they have any.

Additionally, the proposal would also require periodic reporting on registrants’ policies and procedures to identify and manage cybersecurity risks along with management’s role in implementing such policies and procedures. Lastly, the SEC would require all cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language.


What Does the SEC's Proposed Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Mean for Public Companies?

Cybersecurity controls have historically been out of scope from Sarbanes Oxley (SOX) testing for public companies, however, this proposed amendment may see those controls become incorporated into that testing process going forward. Internal Audit and External Auditors traditionally perform a yearly cyber interview based only on inquiry testing for several years to obtain a list of cyber initiatives and controls and then seek to determine if the organization has “experienced a breach within the past 12 months?”.

Within SOX, this inquiry testing process will likely no longer be good enough and it is expected that companies will need to provide evidence through observations as well as detailed evidence. SOX and the auditors also require data sets (populations) to ensure completeness and accuracy.


Will companies be prepared to provide logs of cyber incidents and the way they are aggregated for materiality? This is a key point that organizations need to start thinking about.

The early indications are that organizations will need to implement key cyber controls within their SOX control framework. Companies should take the time to review the proposal and familiarize themselves with the requirements so that discussions with auditors (both Internal and External) can be held to better understand what the expectations are likely to be. The potential impact of these rulings is likely to be far-reaching and we anticipate forthcoming information relating to the final rulings, scope, and key dates in June of 2023.

If you have any questions about the proposed rules or SOX testing for public companies, please contact the Schneider Downs team at cybersecurity@schneiderdowns.com.


Content by:

Schneider Downs & Co., Inc.

Schneider Downs is a top regional accounting and business advisory firm located in the northeastern part of the United States with a significant international reach. For more than 60 years, we have provided professional services to public and private companies, nonprofit organizations, professional associations, service firms and government entities across the United States and around the world. We have more than 500 employees and 56 shareholders and offer more than 100 services with dedicated teams from four business units: Tax, Audit, Consulting and Wealth Management.

Learn more