SEC Proposes New Cybersecurity Rules

Cybersecop

By Farookriaz - SEO RoamsoftPublished 3 years ago • 3 min read

The SEC proposed to add new Item 106 to Regulation S-K and updates to Forms 10-Q and 10-K that will require public companies to provide periodic updates about previously disclosed cybersecurity incidents when a material change, addition or update has occurred.

These days cyber-attacks are common across all industries and sectors, however, the finance industry inclusive of fintech seems to be one of the most targeted by cyber-attackers and cyber criminals. In 2021, according to Statista, the finance industry was ranked as the second largest target for cyber-attacks being targeted four times more than healthcare and almost nine times more than government. Although most organizations in the finance industry have built formidable security programs, the inbound threats have also become much more frequent and sophisticated. As cyber-attacks constantly grow in number and sophistication, we see organizations being breached every day. According to J Makas at ThinkAdvisor.com, by 2023 an estimated 33 billion accounts will be affected by cyberattacks targeting the financial sector.

SEC IN RESPONSE TO RISING THREATS

The Securities and Exchange Commission (SEC), in response to these rising threats and as a result of concerns voiced surrounding the lack of preparedness across the industry to advanced cyber-threats, has proposed new rules with a focus on standardizing and increasing cyber-reporting across the finance industry and public companies. The new rules proposed on March 9th of 2022 would require public companies to make prescribed cybersecurity disclosures. This proposal is an attempt to protect investors and strengthen their ability to evaluate public companies’ cybersecurity practices and incident reporting. cover IT risk management, cyber incident reporting, and cyber risk disclosure. The proposed rules would make cybersecurity a large part of the overall enterprise risk management

The proposed rules are an expansion on SEC’s previous guidance from 2011 and 2018 and would make material cybersecurity incident reporting, including updates about previously reported incidents as well as ongoing disclosures on companies' governance, risk management, and strategy with respect to cybersecurity risks, including board cybersecurity expertise and board oversight of cybersecurity risks, all mandatory.

In specific, the new rules would add cybersecurity incidents on Form8-K requiring organizations to disclose all cybersecurity incidents and identified risks. The information required on the Form 8-K would cover (a) the timing of cyber-incidents and whether they are resolved or ongoing, (b) required brief details on the nature of the incident, (c) a report on any affected data even if the data was not exfiltrated, d) effects of every cyber incident on the organization’s operations, and e) information on remediation activity. One interesting item of note is that the actual date the cyber-incident began will be required and not just the date it was discovered.

REQUIRE COMPANIES TO DISCLOSE

Also, the new rule would require companies to disclose the following in form 10-K:

· Does the company have a cybersecurity risk assessment program and if so, provide a description of such program;

· Does the company engage assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;

· Does the company have policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company's customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;