The US Securities and Exchange Commission (SEC) strives to make a positive impact on the US economy, capital markets and lives of its people. With a history spanning more than 85 years since its inception during the Great Depression, the SEC has remained dedicated to its mission of protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation. Throughout its existence, the SEC has worked diligently to fulfill its mandate and uphold the principles that underpin its role in the financial industry. So, it should come as no surprise that it has decided to be more proactive in combating the ever-growing cybersecurity threat.1
The SEC has proposed amendments aimed at bolstering and standardizing the disclosure requirements related to cybersecurity risk management, strategy, governance and incident reporting for public companies. These proposed amendments reflect the SEC's commitment to adapting its disclosure regime to meet evolving risk factors and investor needs, with cybersecurity now recognized as a significant risk that public issuers must increasingly address.
SEC Chair Gary Gensler emphasizes the importance of providing investors with comprehensive information about how enterprises manage cybersecurity risk. The proposed amendments aim to ensure that such information is consistently disclosed in a comparable and decision-useful manner. While many enterprises already disclose cybersecurity information to investors, mandating uniform and transparent disclosures enhances investors' abilities to assess the cybersecurity practices and incident reporting of public companies.2
Contrastingly, enterprises often hesitate to report cybercrimes due to concerns regarding the time and cost involved and the belief that it is unlikely to lead to any significant recovery for the organization. The rationale behind this hesitation is that the incident may not be deemed serious enough to warrant the involvement of law enforcement and could be more effectively managed internally. Some enterprises actively seek alternative solutions or strategies to address the situation without resorting to involving governing bodies. They are motivated by a desire to minimize any potential negative impacts that could arise from engaging external authorities. This could involve seeking internal resolutions, implementing changes within the organization, or finding other ways to mitigate the issues they are facing, all while avoiding the interference or intervention of governing bodies.3 This means that enterprises with strong opposition to the possibility of mandatory reporting could push back on the proposed SEC rules.
The key provisions of the proposed amendments include prompt reporting of material cybersecurity incidents by public companies. Periodic reports would also be required to provide updates on previously reported incidents. Additionally, registrants would need to disclose their policies and procedures for identifying and managing cybersecurity risk. The role of the board of directors (BoD) in overseeing cybersecurity risk and management's expertise in assessing and implementing cybersecurity measures would also be disclosed. Furthermore, enterprises would be obligated to provide annual or proxy disclosures regarding the cybersecurity expertise of their BoDs, if applicable.
The primary objective of the proposed amendments is to provide investors with enhanced insight into an enterprise’s risk management, strategy, and governance, while ensuring timely notification of significant cybersecurity incidents. The ability of enterprises to effectively meet this disclosure expectation will be challenging without solid risk quantification techniques and consistent risk assessment measures. Since these vary from enterprise to enterprise and are largely dependent on risk appetite, enterprises must constantly adjust these measures to keep risk within established tolerance levels while still achieving their visions. Thus, investors need a certain level of sophistication to interpret the data to factor them into their investment decisions.
The primary objective of the proposed amendments is to provide investors with enhanced insight into an enterprise’s risk management, strategy, and governance, while ensuring timely notification of significant cybersecurity incidents.
In 2022, the SEC took notable steps to safeguard investors from cyberincidents. One significant action was the substantial expansion of the Cyber and Crypto Assets Unit within the Enforcement Division in May 2022.4 Although the full impact of this fortified unit has yet to be determined, early signs indicate promising outcomes in terms of combating cyberthreats effectively. Notably, since the division’s creation in 2017, the unit has taken more than 80 enforcement actions targeting fraudulent and unregistered crypto asset offerings and platforms. These actions have led to monetary relief exceeding US$2 billion, with a focus on investigating securities law violations related to crypto asset offerings, crypto asset exchanges, crypto asset lending and staking products, decentralized finance (DeFi) platforms, non-fungible tokens (NFTs), and Stablecoins.
To date, multiple enterprises have been charged with deficiencies by the SEC. These charges were a result of identified deficiencies in their programs aimed at preventing customer identity theft, constituting a violation of the SEC's Identity Theft Red Flags Rule (Regulation S-ID). The SEC's orders revealed that these enterprises’ identity theft prevention programs lacked reasonable policies and procedures to identify relevant red flags of identity theft and incorporate them into their programs. Moreover, their programs did not adequately address the appropriate response to detected identity theft red flags or ensure regular updates to mitigate evolving identity theft risk faced by customers.5
The SEC's efforts to enforce cybersecurity extend beyond regulated entities, as individuals are also being held accountable for their involvement in cybersecurity breaches. A notable example of this occurred in August 2022 when the SEC took action against 3 individuals for engaging in illegal tipping and trading activities related to Equifax, Inc., securities. These activities took place prior to Equifax's 2017 announcement of a significant cyberintrusion and data breach. The individuals charged were associated with a public relations firm hired to manage inquiries arising from the breach disclosure.6
It is important to note that the SEC's efforts to combat cybersecurity risk are ongoing and continually evolving to address the ever-changing landscape of cyberthreats and technological advancements. However, it remains to be seen whether enterprises are fully prepared for potential future regulations and their impact on cybersecurity practices.
Endnotes
1 US Securities and Exchange Commission, “What We Do,” USA
2 US Securities and Exchange Commission, “SEC Proposes New Requirements to Address Cybersecurity Risks to the US Securities Markets,” USA, 15 March 2023
3 Swinhoe, D.; “Why Businesses Don’t Report Cybercrimes to Law Enforcement,” CSO, 30 May 2019
4 US Securities and Exchange Commission, "SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit,” USA, 3 May 2022
5 US Securities and Exchange Commission, “SEC Charges JPMorgan, UBS, and TradeStation for Deficiencies Relating to the Prevention of Customer Identity Theft,” USA, 27 July 2022
6 Uslaner, J. D.; J. Cooper-Little; “The SEC Is Inching Closer to Clarity on Cybersecurity Requirements,” Reuters, 19 April 2023
Chris McGowan
Is the principal of information security professional practices on the ISACA® Content Development and Services team. In this role, he leads information security thought leadership initiatives relevant to ISACA’s constituents. McGowan is a highly accomplished US Navy veteran with nearly 23 years of experience spanning multidisciplinary security and cyberoperations.