Menu

- Cyber Watch -

Cyber Disclosures: New Regulation on the Horizon

The SEC is eyeing a fresh set of rules, but how will they change requirements for cyber-risk revelations, and what best practices do financial institutions need to adopt to comply?

Friday, December 10, 2021

By Christopher Hetner and Lisa Quateman

Advertisement

Amid a global surge in cyberattacks, the U.S. Securities and Exchange Commission (SEC) is expected to soon release a rule proposal aimed at providing investors with increased cyber-risk transparency. Specifically, the SEC will likely outline requirements on how companies should address cyber incident risk management and incident disclosure.

Earlier this year, in a speech he gave to the European Parliament Committee on Economic and Monetary Affairs, SEC Chair Gary Gensler said that the pending rule proposal will likely address “cyber hygiene and incident reporting.” When the proposal is ready, the SEC is expected to invite industry participants to provide comments before the finalization of any rule – but financial institutions eventually will need to re-examine (and, in some cases, adjust) their cyber disclosure best practices.

a2r1W0000011SP9QAM_christopher_hetnerChristopher Hetner

While we do not yet know the exact nature and scope of future cyber-risk disclosure requirements, there is no question that cybersecurity is top-of-mind at the SEC. In addition to Gensler’s comments, the regulator has also recently taken enforcement actions against eight financial services firms for cyber breaches. Those cases all involve mismanagement of cyber incidents, and the recurring themes were delayed notification, failure to adopt and follow adequate disclosure policies and procedures, and misleading statements and omissions.

One of the most high-profile SEC cyber-breach cases was brought against the Cetera Entities - a group of broker-dealer and investment advisory companies. The email accounts of more than 60 Cetera Entities personnel were hacked by unauthorized third parties (across 2017-2020), resulting in the exposure of the personally-identifying data of more than 4,300 customers and clients.

Moreover, two companies within the group (Cetera Advisors LLC and Cetera Investment Advisors LLC) were accused of sending misleading breach notifications to their clients, which included language that suggested that the alerts were issued much earlier than they actually were, after the discovery of the breach. Cetera Entities eventually agreed to pay a $300,000 penalty.

Similar cases have been brought by the SEC against a variety of institutions, including SolarWinds, and Pearson PLC, a London-based publishing and education company that agreed to pay a $1 million fine for a 2018 data breach.

Ongoing Cyber Guidance: Learning from History

Through its recent enforcement actions and the expected rule proposal, the SEC is doubling down on the cybersecurity guidance it issued in 2018, which followed a series of high-profile cyber incidents at companies where senior leadership delayed notification of compromises. The 2018 guidance was intended, in part, to enable investors to make more informed decisions by requiring financial institutions to increase their cyber transparency.

In 2018, the focus was on public company cybersecurity disclosure requirements, highlighting the importance of comprehensive cyber policies and procedures; timely disclosure of material cyber risks and incidents; and the application of insider trading prohibitions in the cybersecurity context.

Under the 2018 SEC Guidance, reporting organizations were expected to (1) establish an appropriate method of identifying the impact of cyber risks and incidents; (2) assign oversight of cybersecurity to the board of directors; (3) establish disclosure controls, policies and procedures relating to identification, management and remediation of cybersecurity risks; and (4) implement protocols for determining materiality of cyber risks and incidents.

Best Practices

Given the increased regulatory scrutiny and the pending SEC rule proposal on cyber disclosures, financial institutions need to figure out their next steps. So, what are the leading practices in developing cybersecurity disclosure controls and procedures?

Lisa QuatemanLisa Quateman

Step one is to engage company personnel at all levels of the organization, to identify the company’s key digital assets and their associated cybersecurity risks. These can consist of, for example, customer records, marketing plans, financial information, employee health records and intellectual property.  

Subsequently, an organization should evaluate the potential financial, reputational or operational ramifications of cyber breaches that could impact these assets. Sophisticated benchmarking tools can help with this evaluation.

When developing disclosure controls, policies and procedures, include realistic timelines and identify roles and responsibilities as specifically as possible. Take into account that responsible personnel may be promoted, leave the organization or otherwise fail to adhere to the procedures, so it is important to incorporate checks, balances and back-ups. Whenever new technologies are adopted and/or new business plans are initiated, consider the cyber risks and new disclosure procedures that may become necessary to adapt to these changes.

After documenting its disclosure controls, policies and procedures, a company must then pay close attention to the practical, day-to-day implementation of its cyber disclosure strategy. Training and reinforcement are key.

Organizations must also monitor the disclosure process for accuracy and completion. Board-level engagement and oversight are essential.

Cyber-risk disclosure is certainly not a “one-and-done” exercise. Rather, it should be an ongoing part of a company’s enterprise risk management framework.

 

Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury), a special advisor for cyber risk for NACD, and a national board member of the Society of Hispanic Professional Engineers. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at chetner10@gmail.com.

Lisa Quateman currently serves as a board director, audit and risk committee member, and Compensation Committee Chair for a NYSE-traded mortgage REIT. She is also a board director and audit committee member for several other infrastructure and financial services companies. Quateman, a NACD Board Leadership Fellow, formerly worked as a senior partner at the law firm Polsinelli, where she specialized in financial services, real estate and infrastructure finance. She can be reached at Lquateman@quateman.com.




Advertisement

BylawsCode of ConductPrivacy NoticeTerms of Use © 2021 Global Association of Risk Professionals