How CISOs and boards can prepare for the new era of cyber transparency

As regulators make businesses and government agencies more accountable for their cyber practices, it’s increasingly important for organizations to enhance their external cyber reporting capabilities.

What’s different about the newest regulations? Transparency into cyber practices and incidents is turning from voluntary to mandatory, from statutory to actionable, from inconsistent and incomplete to decision-useful. The more extensive information-sharing should empower businesses to build more comprehensive actions and defenses against one of the most daunting risks they face. 

On March 15, the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 was signed into law. It requires companies that are attacked to report significant cyber incidents, and it offers protections incentivizing them to report.  

On March 9, the Securities and Exchange Commission (SEC) published a proposal for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. The SEC’s proposed rules are extensive because, in the words of SEC Chair Gary Gensler, “Investors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs."

In a nutshell

 

SEC’s proposed disclosure requirements for public companies

 

Cyber incident reporting

“Material” cybersecurity incident would have to be reported on a Form 8-K within four business days of it being determined to be material

Provide updated disclosure on previously disclosed cybersecurity incidents in 10-Ks and 10-Qs

Disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate in 10-Ks and 10-Qs

 

Cyber risk management and strategy

Describe the company’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether cybersecurity is part of the business strategy, financial planning and capital allocation

 

Cyber governance

Expand disclosures on:

The board’s oversight of cybersecurity risk 

Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies, procedures and strategies

Any member of the board of directors who has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise

 

For more details on the proposal, see our In brief, SEC proposes new cybersecurity disclosure requirements.

 

It’s not just regulators who want more light on cybersecurity risks. Cybersecurity is the top concern of CEOs around the world. Boards want to have more confidence in their understanding of their companies’ cyber risk exposure. Other stakeholders—including investors, consumers and employees—want to understand how much they can trust in the ability of businesses and entire systems to withstand increasing cyber threats.

Cybersecurity on everyone’s mind: A case for greater cyber transparency

Higher bar on cyber disclosures for better cyber risk management

Cyber threats loom large on most people’s minds because the ability of organizations to size up the evolving cyber risks they face is generally weak. The information coming from these proposed mandatory SEC cyber disclosure rules can help stakeholders understand how a company manages its cyber risk exposures.

For greater CEO confidence to innovate and grow

Among the top six concerns of the CEOs we surveyed around the world, cybersecurity is the one most associated with inability to innovate. Cyber risks threaten companies’ future. With greater focus on managing cyber risks, CEOs (the ultimate risk owners) can do much more to increase the resiliency of their organization as they innovate.

For investors and other stakeholders to separate the cyber-ready from those that aren’t

Cybersecurity has become an existential threat. Cyber breaches can lead to a cascade of other risks: operational, reputational, brand and financial. They can affect shareholder value, temporarily or permanently, after a cyber incident. But beyond incident reporting, the SEC proposal can help investors understand how cyber risks are managed and how the board oversees them. It’s especially vital during a time of great and accelerated digital transformations, and it’s important for future cyber-readiness as businesses continue to add ways that they and their ecosystems can be connected—and therefore attacked.

For decision makers to decide on the right amount of cyber resources

In a post-incident review of the Conti ransomware attack in May 2021 on Ireland’s Health Service Executive (HSE), which operates the country’s public health system, it became clear that adequate resources are critical for the security maturity of any organization. Since late 2020, when a succession of cyber attacks became headline news, cyber spending has increased by double digits in 26% of organizations. As management and boards gain greater insights into how their companies enhance their cyber risk management programs to meet regulations, they will have better information in assessing their resources.

For improved collective public-private sector cyber defense

The cyber incident reporting law signed by President Biden on March 15 puts responsibility on the Cybersecurity and Infrastructure Security Agency to put the reported information to good use. Not one entity — public or private — can secure cyberspace, and the law cements information-sharing as a mechanism to strengthen public-private sector resilience and the collective ability to address immediate and impending cyber risks.

The gap between the new requirements and current disclosures

The state of current disclosures illustrates three gaps.

Despite the increase in significant and new kinds of cyber attacks in 2020 and 2021 counted by cyber researchers, the number of cyber incident disclosures in 8-Ks or 10-Ks has trended downward from 2019. In 2020, 117 breaches were reported, down from a high of 144 in 2019, according to Audit Analytics’ Trends in Cybersecurity Breaches.

For many companies, current disclosures provide limited insights into their risk management programs. Companies commonly do not provide information about policies and procedures such as third-party risk management practices, whether they use advisors or other third-parties for additional insights on their cybersecurity programs or on their business continuity and recovery plans.

While many companies disclose some information about their governance structure, including who at the management level addresses cyber risks and where cybersecurity oversight is assigned at the board level, other information around the frequency of board reporting and specific details about cyber expertise on the board is limited and inconsistent.

How CISOs and boards should start to prepare

CISOs need to work on ramping up capabilities and capacity to report and shoring up their cybersecurity posture. Boards will want to oversee these activities. Two distinct but related risks are at play here: the risk of not being able to report in the manner and time required and the risk of public discovery of less-than-robust risk management practices. 

Companies worry that disclosing weaknesses in cyber risk management may be tantamount to handing a playbook for threat actors. But even for those with robust cyber risk strategy, governance and processes, the capability and capacity to report may be lagging. 

CISOs can position their teams to work with general counsel and other senior executives to assess the proposed rules and prepare to translate strategy and practices into an accurate, cohesive and compelling narrative on the company’s cyber risk management practices. 

 Questions the CISO and board will want to address:

  • Have we performed a gap assessment of how current risk management practices and disclosures align with the proposed SEC rules, and do we have a plan to address those gaps?
  • How is cybersecurity plugged into the disclosure committee—the team handling disclosure, controls and procedures (DC&P)—and other teams tasked with reporting information externally?
  • Which aspects of the rules are relatively easy to address and which ones may require more time or information to assemble?
  • How prepared is our company to disclose different types of information—and have we considered what the anticipated market reactions are to our disclosure?
  • What will require significant changes in our cyber risk management practices and will we make continuous assessments of the effectiveness of those changes?
  • Will our company comment on the SEC’s proposal within the comment period to share our perspectives?

The new era of cyber transparency means that CISOs should focus on building their capability to present information in a way that the board, senior management and investors can understand and act upon. It requires a communication strategy that’s different from the everyday jargon of cybersecurity. The CISO should not rely on others to have security knowledge. Instead, the CISO should take security knowledge to stakeholders, making the topic relevant to them and absorbable by them. CISOs should think through their communication frequency and content with boards and CEOs to ensure they’re addressing key cybersecurity risks.

With the evolving cybersecurity risks, the board will want to address whether it needs cyber expertise to effectively oversee this risk. This expertise needs to be considered in the broader context of board composition. Adding cyber expertise could be a significant change for many boards since only 34% of S&P 500 companies disclosed that a member of the board of directors was a cybersecurity expert in 2021, according to the Center for Audit Quality. Additional training and educational sessions with directors can also be valuable. 

The proposed SEC rules and new Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 law, while requiring incremental effort and disclosure, should lead to more comprehensive actions and defenses against one of the most daunting risks companies face.

Contact us

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Matt Gorham

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

John  Oleniczak

John Oleniczak

Partner, Governance Insights Center, PwC US

Follow us