News + Resources

Industry news, Astaara press releases & maritime cyber risk resources

Monday, February 6, 2023
New SEC Cyber Security Reporting Requirements:  it ain’t what you do, it’s the way that you do it? 

By May 2023, the US Securities and Exchange Commission (SEC) will require all registered companies to: 
Report within 96 hours on: 

  • material cybersecurity incidents;  

Report periodically on: 

  • policies and procedures to identify and manage cybersecurity risks;  
  • management’s role in implementing cybersecurity policies and procedures;  
  • the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and  
  • provide updates on previously reported cybersecurity incidents 

These amendments “are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents”.   
Will it have the desired effect? Possibly. 

What does this mean for the affected companies? 

To date, most companies confine their remarks on cyber security to a few paragraphs under the strategic risks section of their quarterly or annual reports. In some cases, the language used does not change much from year to year – it’s important risk, yada yada. As a casual reader, the documents tell you little – and by inference, they tell you a lot. The music changes for those companies that have been breached, and who now realise the error of their ways; or those who recognise the importance of an informed dialogue with their shareholders about the risks they are having to run, and who realise that you can’t guarantee that you will not be successfully attacked – and that if you are, you have a plan – a plan that has been tested, and works. 

The new SEC reporting requirements will release more information into the public domain.  On the one hand this may foster better behaviour – it is to be hoped that companies will recognise the benefits of investing in their cyber defences and reporting this (without compromising security) to their shareholders.  Companies will not want to disclose that they do not have adequate policies or procedures and may use these changes to upgrade the cyber capability of their Board and clarify the role of management in dealing with the cyber issue. More significantly, perhaps, companies will have to disclose ‘material’ cyber security events (trigger to be determined) within (to be confirmed) 4 working days. 

But 

This will not make things better overnight. Shining a light into the darkness may illuminate an unhappy scene.  Being obliged to set out what you are doing does not mean you are doing it well.  And there needs to be a balance struck between what you need to publish and what you need to keep private not to give bad actors any more than the absolute minimum of additional information. 

These changes may, however, if exercised well, give shareholders an important ‘locus standi’ in the discussion with management about what is important.  A breach is in no-one’s interests; sharing the problem of capital investment priorities with shareholders may help management invest in the right things; and co-opting the shareholders into corporate strategies around reducing the impact of a cyber event cannot hurt. 

This approach carries risks too.  If your team is not expert, or at least well briefed, you might lose the support of shareholders.  You will need to judge if your Board and your Management team understand the cyber threat – and the right level at which to pitch your messages to shareholders. You also need to understand what your competitors are doing under this new regime – you do not want this exercise to become a driver of competitive disadvantage. 

When is good, good enough? 

In these complex economic times, it is ever more important to recognise that there is no such state as 100% secure.  Getting the basics right will probably cover about 80% of the risks; it will be a value judgement as to the efficacy of moving beyond 80% to ensure that what really matters is as safe as possible. 

Just having a set of boiler-plate policies and procedures doesn’t make you secure.  This is an opportunity for management to reassure shareholders that they take the cyber risk seriously and are addressing it in a proportionate and measured way.  Using 3rd party assessors can increase comfort levels, without the glow of optimism that emanates from self-assessments.  And being able to evidence to all (shareholders, regulators etc) that you have thought and acted sensibly about the risk will stand you in good stead with authorities and your own shareholders should an attack succeed. 

What is the real issue 

  • The SEC is doing the right thing in trying to improve company cyber resilience and provide shareholders with more information about the steps companies are taking to protect themselves (and their shareholder equity) 
  • But the SEC is not an expert or an enforcement agency – nor can it make value judgements or stipulate what a company should do 
  • Rather it seeks to require companies to disclose what they are doing – and enable stakeholders to engage with corporate leadership 
  • It is reasonable to expect that disclosure will require improved performance 
  • Rapid disclosure of incidents is important, but there will need to be some clarity about the materiality threshold 
  • Shareholders need to engage with management

What gets measured, gets done 

The SEC has taken a bold first step.  Other jurisdictions will follow.  It is important that shareholders use this information wisely, to help preserve and protect shareholder capital and to demonstrate visible support for the plans companies will need to have to improve their cyber posture. 

If you would like to discuss this, or any other cyber issues, please don’t hesitate to contact us. 

  • William Egerton
    Chief Cyber Officer