By May 2023, the US Securities and Exchange Commission (SEC) will require all registered companies to:
Report within 96 hours on:
Report periodically on:
These amendments “are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents”.
Will it have the desired effect? Possibly.
What does this mean for the affected companies?
To date, most companies confine their remarks on cyber security to a few paragraphs under the strategic risks section of their quarterly or annual reports. In some cases, the language used does not change much from year to year – it’s important risk, yada yada. As a casual reader, the documents tell you little – and by inference, they tell you a lot. The music changes for those companies that have been breached, and who now realise the error of their ways; or those who recognise the importance of an informed dialogue with their shareholders about the risks they are having to run, and who realise that you can’t guarantee that you will not be successfully attacked – and that if you are, you have a plan – a plan that has been tested, and works.
The new SEC reporting requirements will release more information into the public domain. On the one hand this may foster better behaviour – it is to be hoped that companies will recognise the benefits of investing in their cyber defences and reporting this (without compromising security) to their shareholders. Companies will not want to disclose that they do not have adequate policies or procedures and may use these changes to upgrade the cyber capability of their Board and clarify the role of management in dealing with the cyber issue. More significantly, perhaps, companies will have to disclose ‘material’ cyber security events (trigger to be determined) within (to be confirmed) 4 working days.
This will not make things better overnight. Shining a light into the darkness may illuminate an unhappy scene. Being obliged to set out what you are doing does not mean you are doing it well. And there needs to be a balance struck between what you need to publish and what you need to keep private not to give bad actors any more than the absolute minimum of additional information.
These changes may, however, if exercised well, give shareholders an important ‘locus standi’ in the discussion with management about what is important. A breach is in no-one’s interests; sharing the problem of capital investment priorities with shareholders may help management invest in the right things; and co-opting the shareholders into corporate strategies around reducing the impact of a cyber event cannot hurt.
This approach carries risks too. If your team is not expert, or at least well briefed, you might lose the support of shareholders. You will need to judge if your Board and your Management team understand the cyber threat – and the right level at which to pitch your messages to shareholders. You also need to understand what your competitors are doing under this new regime – you do not want this exercise to become a driver of competitive disadvantage.
When is good, good enough?
In these complex economic times, it is ever more important to recognise that there is no such state as 100% secure. Getting the basics right will probably cover about 80% of the risks; it will be a value judgement as to the efficacy of moving beyond 80% to ensure that what really matters is as safe as possible.
Just having a set of boiler-plate policies and procedures doesn’t make you secure. This is an opportunity for management to reassure shareholders that they take the cyber risk seriously and are addressing it in a proportionate and measured way. Using 3rd party assessors can increase comfort levels, without the glow of optimism that emanates from self-assessments. And being able to evidence to all (shareholders, regulators etc) that you have thought and acted sensibly about the risk will stand you in good stead with authorities and your own shareholders should an attack succeed.
What is the real issue
What gets measured, gets done
The SEC has taken a bold first step. Other jurisdictions will follow. It is important that shareholders use this information wisely, to help preserve and protect shareholder capital and to demonstrate visible support for the plans companies will need to have to improve their cyber posture.
If you would like to discuss this, or any other cyber issues, please don’t hesitate to contact us.