Shifting corporate cyber risk treatment and its impact on boards and board governance
The final rule requires U.S domestic and Foreign Private Issuers (FPI) subject to the Securities and Exchange Act 1934, to disclose material cyber risks and material cyber incidents important to investors, from December 2023. To meet these requirements registrants are compelled to define Materiality, and Adequate cybersecurity risk management compliance with sufficient detail as to satisfy a Reasonable Investor. Registrants are required to demonstrate to regulator and investors that they have the necessary risk management processes and appropriate board and board subcommittee governance, oversight and assurance of material cyber risks and material cyber incidents.
The final rule requires registrants to identify board committees or subcommittees responsible for the oversight of material cyber risks and material cyber incidents; publish their cyber risk management processes; the processes by which the board or subcommittees are informed of cyber material risk; management’s role in assessing and managing the registrant’s material risks; disclose the management positions and the relevant committee members expertise to oversight and assure cyber risks; and provide investors with enough information to be able to make valued judgements as to the effects of material cyber risk and material cyber incidents, with sufficient detail to satisfy a reasonable investor.
Registrants cannot secure every material cyber risk. Therefore adopting ‘adequate’ compliance to the rule is more likely appropriate. This can be achieved through the consideration of existing cybersecurity and risk management frameworks and standards, such as Risk Management Framework(RMF) and Federal Information Processing Standards(FIPS) required under the Federal Information Security Modernization Act(FISMA) adopted by Federal Agencies including the SEC. To further address corporate governance, registrants should consider implementing a 3 Line of Defence(3 LoD) operating model, that integrates functions that create cyber risk(1st Line) Risk management(2nd Line), and Audit(3rd Line) through good corporate governance. Utilizing internal and external general Counsel to create a robust legal compliance program.
Regulatory compliance starts December 2023, when registrants are required to demonstrate that they can manage, oversight and assure cybersecurity risks and incidents. The data provided to capital markets can then be used to evaluate boards and accountable executives’ ability to manage their organizations cybersecurity risks and incidents. What is unknown at this time are the consequences of failing to report material risks or material incidents with sufficient detail to enable a reasonable investor to make an investment decision. What is known today is the SECs record of regulatory enforcement and the statistics related to cyber-attack frequency, complexity and severity make it more likely that corporate cybersecurity risk management will be challenged for adequacy.