Proposed SEC rules tighten cybersecurity

Finance professionals should be planning for stricter SEC cybersecurity preparation and disclosure rules, experts told CFO Brew.

The SEC proposed new amendments to its rules in March 2022 that would compel public companies to “enhance and standardize disclosures” about their cybersecurity, requiring faster disclosure of “material cybersecurity incidents” and updates about those reported incidents, as well as disclosure of cybersecurity risk response plans and board cybersecurity expertise.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend,” SEC Chair Gary Gensler said in a March 2022 statement. “Investors want to know more about how issuers are managing those growing risks.”

These new rules are a significant shift in how public organizations report cybersecurity risk, one expert told CFO Brew.

“The government, the SEC in particular, has started to really focus on companies by saying, ‘Who is in charge of your cybersecurity program? And so if something happens, and there is a cyberattack, who do we blame for this cyberattack?’” Amy Bahls, CFO at the National Cybersecurity Center, a Colorado-based cybersecurity education nonprofit told CFO Brew. “It’s going to be really important.”

However, in general, ”the level of cybersecurity awareness and competence is multiple factors better in the EU and in the UK than in the United States,” said Daryl Crockett, CEO of data security consulting firm ValidDatum and a consulting fractional CFO.

But these new rules mean that finance professionals shouldn’t try to deflect or delegate responsibility for organizational cybersecurity.

“No longer can they say, ‘That’s IT and they screwed up,’” Crockett said. “It’s now their neck on the line…that’s going to change the tone of seriousness and bring a lot of focus and attention to this field.”

For the first time, the proposed new SEC rules would create a clear set of requirements for how public organizations should prepare for and report on cybersecurity incidents. The new rules, expected to be finalized in April, come after the SEC announced in May 2022 that it would double the size of its Crypto Assets and Cyber Unit as part of the agency’s ongoing efforts to improve financial reporting and enforcement.

Among the expected changes, public companies will have to do the following:

• Report “material cybersecurity incidents” to the SEC within four business days of discovery, and provide updates on how the organization is responding to the incident
• Identify and disclose any policies and procedures for “identifying and managing” cybersecurity risks
• Disclose the board’s role in oversight of cybersecurity risk, as well as the cybersecurity expertise of any board members
• Describe the role of management in dealing with cybersecurity risks and in the implementation of cybersecurity policies, procedures, and strategies

As the finance function is often responsible for organizational compliance and risk management efforts, its role in creating a corporate culture of cybersecurity awareness is likely to be front and center, according to Crockett.

That also means that finance departments will need to work closely with the IT and cybersecurity teams within their organizations to gather and report the required information.

However, there is some concern that new, more stringent rules could, in some cases, lead to less transparency, according to Bahls.

“The fear over the next few years is, as the government pushes toward more regulations and fines over cyber incidents, are we going to overregulate so much that big companies are going to hide what’s really happened to them?” she said. “That is where we do not want to go.”—DA