As regulators make businesses and government agencies more accountable for their cyber practices, it’s increasingly important for organizations to enhance their external cyber reporting capabilities.
What’s different about the newest regulations? Transparency into cyber practices and incidents is turning from voluntary to mandatory, from statutory to actionable, from inconsistent and incomplete to decision-useful. The more extensive information-sharing should empower businesses to build more comprehensive actions and defenses against one of the most daunting risks they face.
On March 15, the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 was signed into law. It requires companies that are attacked to report significant cyber incidents, and it offers protections incentivizing them to report.
On March 9, the Securities and Exchange Commission (SEC) published a proposal for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. The SEC’s proposed rules are extensive because, in the words of SEC Chair Gary Gensler, “Investors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs."
SEC’s proposed disclosure requirements for public companies
Cyber incident reporting
“Material” cybersecurity incident would have to be reported on a Form 8-K within four business days of it being determined to be material
Provide updated disclosure on previously disclosed cybersecurity incidents in 10-Ks and 10-Qs
Disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate in 10-Ks and 10-Qs
Cyber risk management and strategy
Describe the company’s policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether cybersecurity is part of the business strategy, financial planning and capital allocation
Expand disclosures on:
Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies, procedures and strategies
Any member of the board of directors who has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise
For more details on the proposal, see our In brief, SEC proposes new cybersecurity disclosure requirements.
It’s not just regulators who want more light on cybersecurity risks. Cybersecurity is the top concern of CEOs around the world. Boards want to have more confidence in their understanding of their companies’ cyber risk exposure. Other stakeholders—including investors, consumers and employees—want to understand how much they can trust in the ability of businesses and entire systems to withstand increasing cyber threats.
Cyber threats loom large on most people’s minds because the ability of organizations to size up the evolving cyber risks they face is generally weak. The information coming from these proposed mandatory SEC cyber disclosure rules can help stakeholders understand how a company manages its cyber risk exposures.
Among the top six concerns of the CEOs we surveyed around the world, cybersecurity is the one most associated with inability to innovate. Cyber risks threaten companies’ future. With greater focus on managing cyber risks, CEOs (the ultimate risk owners) can do much more to increase the resiliency of their organization as they innovate.
Cybersecurity has become an existential threat. Cyber breaches can lead to a cascade of other risks: operational, reputational, brand and financial. They can affect shareholder value, temporarily or permanently, after a cyber incident. But beyond incident reporting, the SEC proposal can help investors understand how cyber risks are managed and how the board oversees them. It’s especially vital during a time of great and accelerated digital transformations, and it’s important for future cyber-readiness as businesses continue to add ways that they and their ecosystems can be connected—and therefore attacked.
In a post-incident review of the Conti ransomware attack in May 2021 on Ireland’s Health Service Executive (HSE), which operates the country’s public health system, it became clear that adequate resources are critical for the security maturity of any organization. Since late 2020, when a succession of cyber attacks became headline news, cyber spending has increased by double digits in 26% of organizations. As management and boards gain greater insights into how their companies enhance their cyber risk management programs to meet regulations, they will have better information in assessing their resources.
The cyber incident reporting law signed by President Biden on March 15 puts responsibility on the Cybersecurity and Infrastructure Security Agency to put the reported information to good use. Not one entity — public or private — can secure cyberspace, and the law cements information-sharing as a mechanism to strengthen public-private sector resilience and the collective ability to address immediate and impending cyber risks.
The state of current disclosures illustrates three gaps.
CISOs need to work on ramping up capabilities and capacity to report and shoring up their cybersecurity posture. Boards will want to oversee these activities. Two distinct but related risks are at play here: the risk of not being able to report in the manner and time required and the risk of public discovery of less-than-robust risk management practices.
Companies worry that disclosing weaknesses in cyber risk management may be tantamount to handing a playbook for threat actors. But even for those with robust cyber risk strategy, governance and processes, the capability and capacity to report may be lagging.
CISOs can position their teams to work with general counsel and other senior executives to assess the proposed rules and prepare to translate strategy and practices into an accurate, cohesive and compelling narrative on the company’s cyber risk management practices.
Questions the CISO and board will want to address:
The new era of cyber transparency means that CISOs should focus on building their capability to present information in a way that the board, senior management and investors can understand and act upon. It requires a communication strategy that’s different from the everyday jargon of cybersecurity. The CISO should not rely on others to have security knowledge. Instead, the CISO should take security knowledge to stakeholders, making the topic relevant to them and absorbable by them. CISOs should think through their communication frequency and content with boards and CEOs to ensure they’re addressing key cybersecurity risks.
With the evolving cybersecurity risks, the board will want to address whether it needs cyber expertise to effectively oversee this risk. This expertise needs to be considered in the broader context of board composition. Adding cyber expertise could be a significant change for many boards since only 34% of S&P 500 companies disclosed that a member of the board of directors was a cybersecurity expert in 2021, according to the Center for Audit Quality. Additional training and educational sessions with directors can also be valuable.
The proposed SEC rules and new Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 law, while requiring incremental effort and disclosure, should lead to more comprehensive actions and defenses against one of the most daunting risks companies face.
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US