5 September 2023
By: Andy Watkin-Child, Ted Dziekanowski, Rachel V. Rose, & Bob Dix
What board, board sub-committees and responsible executives need to know about the final rule.
Introduction
The Securities and Exchange Commissions (SEC) cybersecurity risk management final rule (“final rule” or “rule”)[1], is effective the 5th September 2023. The rule will have a profound impact on many organizations, not just publicly traded companies subject to the jurisdiction of the SEC. The long-standing mission of the SEC is three-fold[2], to protect investors(1), maintain fair, orderly, and efficient markets(2), and facilitate capital formation(3). A mission it has carried out for over 88 years, for the ‘largest, most sophisticated and most innovative capital markets in the world’
Along with the established legislative and regulatory provisions included in Sarbanes-Oxley for financial materiality, NYDFS cybersecurity regulations, Basel Accords for risk management, EU NIS 2 for cybersecurity risk management of Critical National Infrastructure(CNI), EU DORA for the cybersecurity risk management of Financial Institutions(FI) and ICT suppliers, in some circumstances FISMA along with a host of regulations focused on PII and PHI security. The requirements for responsibility and accountability around cybersecurity risk management establishes equivocality regarding cybersecurity risk management and consequences for failure to comply.
This White Paper examines the various requirements established by the SEC rule and considerations registrants will find necessary in developing and implementing a plan to meet and sustain regulatory compliance. The paper highlights the need for aggressive action to drive international harmonization of various cybersecurity laws and regulations, necessary to improve cybersecurity and critical infrastructure protection and resilience globally. Minimising the impact of cyber risk management regulation on corporate capital allocation.
Executive Summary
The final rule requires U.S domestic and Foreign Private Issuers (FPI) subject to the Securities and Exchange Act 1934, to disclose material cyber risks and material cyber incidents important to investors, from December 2023. To meet these requirements registrants are compelled to define Materiality, and Adequate cybersecurity risk management compliance with sufficient detail as to satisfy a Reasonable Investor. Registrants are required to demonstrate to the SEC and investors that they have the necessary risk management processes and appropriate board and board subcommittee governance, oversight and assurance of material cyber risks and material cyber incidents.
The final rule requires registrants to identify board committees or subcommittees responsible for the oversight of material cyber risks and material cyber incidents; publish their cyber risk management processes; the processes by which the board or subcommittees are informed of cyber material risk; management’s role in assessing and managing the registrant’s material risks; disclose the management positions and the relevant committee members expertise to oversight and assure cyber risks; and provide investors with enough information to be able to make valued judgements as to the effects of material cyber risk and material cyber incidents, with sufficient detail to satisfy a reasonable investor.
Registrants cannot secure every material cyber risk. Therefore adopting ‘adequate’ compliance to the rule is more likely appropriate. This can be achieved through the consideration of existing cybersecurity and risk management frameworks and standards, such as the Risk Management Framework(RMF) and Federal Information Processing Standards (FIPS) required under the Federal Information Security Modernization Act (FISMA) adopted by Federal Agencies including the SEC[3]. To further address corporate governance, registrants should consider implementing a 3 Line of Defence (3 LoD) Target Operating Model (TOM), that integrates the functions that create cyber risk (1st Line); Risk management (2nd line), and Audit (3rd Line) through good corporate governance. Utilising internal and external audit and General Counsel to create a robust legal compliance program.
Regulatory compliance starts December 2023, when registrants are required to demonstrate that they can manage, oversight and assure cybersecurity risks and incidents. The data provided to capital markets can then be used to evaluate board, board subcommittee and accountable executives’ ability to manage their organizations cybersecurity risks and incidents. What is unknown at this time are the consequences of failing to report material risks or material incidents with sufficient detail to enable a reasonable investor to make an investment decision. What is known today is the SECs record of regulatory enforcement[4] and the statistics related to cyber-attack frequency, complexity and severity making it more likely that corporate cybersecurity risk management will be challenged for adequacy.
Notable Dates
The final rule was issued on the July 26th, 2023, published on the Federal Register on August 4th, 2023, and is effective the September 5th, 2023. Important dates are.
- Material cyber risk disclosures in compliance with Item 106 of Regulation S-K, beginning with annual reports for fiscal years ending on or after December 15th, 2023.
- Material incident disclosures on Form 8-K and Form 6-K will 90 days after the date of publication in the Federal Register, or December 18th, 2023, whichever is later.
- Smaller reporting companies will be given an additional 180 days to comply with Item 1.05 of Form 8-K. Reporting 270 days after the date of publication in the Federal Register or June 15th, 2024, whichever is later.
Important Definitions and Considerations
The final rule is underpinned by three core tenets, that registrants are required to resolve. These are ‘Material’, ‘Reasonable’ and ‘Adequate’. The rule makes clear that the decisions registrants make to assess, report and remediate cybersecurity risks and cybersecurity incidents are based upon ‘materiality’, as it is determined by a ‘reasonable investor’. For registrants to identify, assess, and mitigate material cybersecurity risks, they should also consider the definition of ‘adequate’. As it is not economically viable to mitigate all cyber risks, registrants should consider what is adequate when attesting regulatory compliance.
Materiality
The Material impact of a cyber incident on a registrant is central to the determination of whether to notify the SEC (Form 8-K)[5] of the incident. Materiality is a key qualifier in determining whether any risk from cybersecurity threats (including as a result of any previous cybersecurity incidents) has affected or is ‘reasonably’likely to affect a registrant.
The SEC affirmed the definition of materiality applied by registrants should be consistent with that set out in cases addressing materiality in securities laws, including TSC Industries, Inc. v. Northway, Inc.,[6] Basic, Inc. v. Levinson,[7] and Matrixx Initiatives, Inc. v. Siracusano,[8] and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”)[9] and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”)[10]. The law, whether affirmed by the Supreme Court or maintained in regulations indicates that, “information is material if ‘there is a substantial likelihood that a reasonable shareholder would consider it important’ in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available6.” (Final rule P. 15).
Reasonable
The final rule makes clear that information is material if there is a substantial likelihood that a ‘reasonable’ investor would consider it important (p.15 final rule). Materiality determinations must be made ‘without unreasonable delay’, and registrants are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes and risks (p. 61 final rule, as issued on Jul. 26, 2023).
Reasonable and reasonableness are difficult to attribute[11],[12] and to comply with the final rule the term ‘reasonable investor’ is important. As articulated by Professor Rose12 Federal Securities laws place a heavy reliance on a variant of the reasonable person, the so called ‘Reasonable Investor’, adopted by the supreme court in TSC Indus. v. Northway and subsequently in Basic v. Levinson. Professor Rose makes clear that ‘snippets of judicial guidance on the reasonable investor’s characteristics that do exist. ‘Case law instructs that “the reasonable investor grasps market fundamentals”. In addition, the “Supreme Court tells us that courts should not treat reasonable investors like ‘nitwits’ and ascribe to them ‘child-like simplicity,’” and “courts have stated disclosure should not be tailored to ‘what is fit for rubes. Moreover, certain materiality doctrines which have developed in the lower courts assume that reasonable investors: discount sales talk; if given certain pieces of information, can and will perform mathematical calculations to determine the bottom line; and consider the context surrounding a statement in determining its import’.
Adequate
The final rule requires registrants to disclose information to investors to gain an ‘adequate’ understanding of the impact of a cyber incident, and make decisions on incident ‘materiality’. The registrant is required to provide up-to-date disclosures on their preparations for ‘adequate cyber security risk management’. Registrants must also contend with the fact that it is not economically viable to mitigate all cyber risks, but must demonstrate adequate cyber risk management compliance for their business. There is no definition of adequate cited by the SEC, therefore defaulting to the dictionary act 1871[13] and taking a legal definition for adequate as ‘Sufficient; Proportionate; Equally Efficient’[14].
Adequacy might be demonstrated through the use of existing Federal cyber regulation. Federal information security regulation OMB A-130[15] that underpins the Federal Information Security Modernization Act (FISMA) defines adequate security as ‘security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.’ The SEC is required to comply with FISMA 2014[16], implementing NIST SP 800-37 and a Cybersecurity Framework (CSF) Profile. The DoD also requires defense contractors and sub-contractors to comply with DFARS 252.204-7012[17] and implement NIST SP 800-171. Setting an adequate level of cybersecurity compliance to secure covered defense information. Demonstrating a reasonable and in the authors opinion, adequate, level of cybersecurity compliance by adopting the same regulations as those expected by Federal Agencies, sets a baseline of reasonable and adequate cybersecurity risk management compliance.
Cybersecurity Incident
Means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Cybersecurity Incident
Means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
Cybersecurity Threat
Means any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.
Information System
Means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
‘Left of Bang’ & ‘Right of Bang’
The final rule transfers cybersecurity risk management compliance into the board rooms of registrants, formalising requirements for management of cyber risk. Transferring risk between cyber incident response (more often covered by cyber insurance) and cyber risk mitigation, used to treat the effects of cyber risks and the potential effects of cyber incidents before they occur.
‘Left of Bang’ – It is economically and operationally more beneficial for an organisation to reduce the impact of a cyber-attack effecting an organisation through cyber risk management. Rather than deal with the consequences of an attack if and when it occurs. Cyber regulation such as the final rule, requires covered entities to demonstrate proactive management of cyber risks, so the effects of a cyber-attack are reduced to an acceptable and manageable level within the risk appetite of the organisation.
‘Right of Bang’ – Once an organisation recognises that it is undergoing a cyber-attack, it instigates an incident response process to manage the effects of the cyber-attack. Adopting a ‘Right of Bang’, or reactive approach to managing the effects of a cyber-attack on behalf of its stakeholders.
The ruling requires registrants to apply proactive identification, assessment and mitigation of cyber risks to prevent or reduce the impact of a cyber-attack (‘Left of Bang’), ahead of cyber incident response and recovery (‘Right of Bang’)[18].
The SEC Final Rule – Final Amendments and Implications for Registrants
The final rule focuses on regulating registrant’s cybersecurity risk management both ‘Left’ and ‘Right of Bang’. Requiring registrants report their material cybersecurity risks; governance; risk management processes and oversight and assurance of material cyber risks (‘Left of Bang’), and material cyber incidents when a determination has been made (‘Right of Bang’). The SEC wants investors to be provided with information that is uniform, comparable and easy to locate, believing this will not happen without the publication, oversight and enforcement of new rules.
The rule adopts requirements for registrants to address:
Risk Management and Strategy
The SEC is adopting 17 CFR 229.106(b)(1) (Regulation S-K “Item 106(b)(1)”)[19]. Requiring a description of “the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” (Final rule P.61) |
and registrants are required to disclose
The SEC is adopting 17 CFR 229.106(b)(2) (Regulation S-K “Item 106(b)(2)”)19. A description of “[w]hether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.” (Final rule P.63) |
and registrant
Use of Consultants, Auditors or 3rd Parties – The final rule requires registrants to disclose whether they engage assessors, consultants, auditors or other third-party connections with their cybersecurity. (Final rule P.63) |
Discussion
17 CFR 229.106(b)(1) (Regulation S-K “Item 106(b)(1)”)
- The word ‘processes’ aims to avoid the disclosure of the operational details of an organisation’s cybersecurity risk management. The SEC still expects the disclosure to allow investors to ascertain a registrant’s cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant’s cybersecurity risk profile.
- The term ‘managing material risk’ is used for an investor to ascertain whether a registrant has adopted processes to identify, qualify and mitigate material cybersecurity risks.
- The ’materiality’ qualifier added to the management of ‘risks from cybersecurity threats’, is used to elevate the level of risks that a registrant is expected to assess and report, as far as a ‘reasonable investor’ would expect to know.
- The SEC has made clear that the enumerated elements that a registrant should address in its item 106(b) disclosure, as applicable, are, but not limited to: (Final rule P. 63)
- Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes.
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.
17 CFR 229.106(b)(2) (Regulation S-K “Item 106(b)(2)”)
- The term ‘materially affected or are reasonably likely to materially affect’ requires registrants to assess the material risks that have affected or are reasonably likely to affect the registrant. Including the effects of previous cyber incidents, extending the material risk assessment process to include the possible effects of cyber threats and previous incidents over a future time horizon.
- Including the term ‘business strategy, results or operations of financial condition’ requires a registrant to consider the effects of a material cyber risk on an organisations business strategy, operational and financial performance as far as a reasonable investor sees it.
Disclosure of third-party consultants
The disclosure of a registrant’s advisors and auditors and 3rd party connections is to inform investors of the level of a registrants in-house versus outsourced cybersecurity capacity.
Governance
17 CFR 229.106(c)(1) (Regulation S-K “Item 106(c)(1)”)19. (Final rule P.68) “[d]escribe the board’s oversight of risks from cybersecurity threats,” and, if applicable “identify any board committee or subcommittee responsible” for such oversight “ and “describe the processes by which the board or such committee is informed about such risks.” |
The oversight, assurance and attestation of material cybersecurity risks and material incidents is the responsibility of the registrant’s board, board subcommittees and management. The final rule requires registrants to:
And registrants
17 CFR 229.106(c)(2) (Regulation S-K “Item 106(c)(2)”)19. (Final rule P.69) must “[d]escribe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.” requiring the disclosure of management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.” |
Discussion
- The addition of 17 CFR 229.106(c)(1) has a considerable effect on the role of the board, board subcommittees and accountable executives for the oversight, assurance and attestation of material cybersecurity risks and material cyber incidents. Registrants should ensure that appropriate board and subcommittee reporting of material cyber risks and incidents is in place to oversight, assure and attest cybersecurity threats and incidents. Through appropriate governance processes such as those adopted by covered Financial Institutions under Basel Accords that include the 3 Line of Defence (3 LoD) Framework.
- In describing the processes by which the board or subcommittees are informed about material cyber risks. Registrants are required to disclose information that balances investors needs to understand a registrant’s governance of risks from cybersecurity threats, in sufficient detail to inform an investment or voting decision. (Final rule P.70)
- The additions of 17 CFR 229.106(c)(2), as adopted, directs registrants to disclose management’s role in assessing and managing a registrants material risks from cyber threats, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. Placing responsibility and accountability of management and management committees to ensure that they have the necessary expertise to oversight and assure material cyber risks and incident ahead of reporting these to the board. Considering managements role and (Final rule P. 70)
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.
- The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Disclosure by Foreign Private Issuers (FPIs)
Foreign Private Issuers are required to complete Form 20-F[20] and Form 6-K[21]. That have been modified consistent with 17 CFR 229.106 (Regulation S-K “Item 106”)16 and item 1.05 of form 8-K3. Form 6-K is modified by the existing language to include the word material cybersecurity incident. (Final rule P. 85) |
Discussion
- Cyber risks and cyber incidents effecting FPIs are no less important to investors capital allocation than those of U.S domestic registrants. Requiring FPIs to declare the same level of information to the SEC as that provided by U.S Domestic registrants.
- By including FPIs in scope of the final rule the SEC increases the global scope of compliance of covered registrants.
- The SEC makes clear that organisations subject to the EU Markets Abuse Regulation (MAR) will have developed relevant information for foreign disclosure under the MAR. Canadian filers are subject to the Canadian Securities Administrators (2017) guidance on the disclosure of cybersecurity risks and incidents. (Final rule P. 87).
Disclosure of Cybersecurity Incidents – Current Reports
It is the view of the SEC that investors need timely, standardised disclosure regarding cybersecurity incidents that materially affect a registrants’ business. That is not addressed by existing regulation and that is not yielding consistent and informative disclosure of cyber incidents by registrants. Item 1.05 of form 8-K3 will require registrants to.
‘describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’(P.184) |
Item 1.05, of form 8-K3 will clarify that registrants need not
‘disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.’ (P.185) |
Discussion
- The inclusion of the term ‘reasonably likely material impact’ increases the scope of material assessment to include the likely current or future effects of a material incident, as far as a reasonable shareholder may see them.
- The SECs inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. A registrant should have the information available to disclose under the rule as part of conducting the materiality determination. Including consideration of the financial, sales, brand, customer, operational, regulatory, legal and market impact of a cybersecurity incident.
- The SEC balances the needs of investors with the requirements of registrants to determine the material effects of a cyber incident and the needs to provide enough information to investors to make a materiality determination, without providing sensitive information on the incident.
- Whether an incident is material is not contingent on where the relevant electronic systems reside or who owns them as far as a reasonable investors see it. Registrants are not exempted from providing disclosures regarding cybersecurity incidents on third-party systems they use, nor is a safe harbour provided for information disclosed about third-party systems.(P. 30)
Filing a Material Cyber Incident Report?
In filing a material cyber security incident disclosure under Item 1.05 of Form 8-K registrants should consider:
If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. (P. 184)A registrant shall provide the information required by this Item in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual.Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph (a) of this Item 1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order. |
Notwithstanding General Instruction B.1. to Form 8-K, if a registrant that is subject to 47 CFR 64.2011 is required to delay disclosing a data breach pursuant to such rule, it may delay providing the disclosure required by this Item 1.05 for such period that is applicable under 47 CFR 64.2011(b)(1) and in no event for more than seven business days after notification required under such provision has been made, so long as the registrant notifies the Commission in correspondence submitted to the EDGAR system no later than the date when the disclosure required by this Item 1.05 was otherwise required to be provided. |
Discussion
- The determination of material is critical to the registrant in deciding whether to report and what to report to the SEC. Considering the material impact or likely material impact is an important consideration.
- The SEC has addressed concerns raised over the reporting of cyber incidents and their potential effect on national security. The rule adopts a delay provision in cases where disclosure poses a substantial risk to national security or public safety.
- If the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing. Delaying the disclosure initially by up to 30, 60, or 120 days, deemed to pose a substantial risk to national security.
Disclosure of Cybersecurity Incidents – Periodic Reports
To the extent that the information called for in Item 1.05(a) is not determined or is unavailable at the time of the required filing, the registrant shall include a statement to this effect in the filing and then must file an amendment to its Form 8-K filing under this Item 1.05 containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.’ |
Updates to incident disclosure has been addressed through an amendment to Instruction 2 of item 1.05 of form 8-K. Directing the registrant to include in its Item 1.05 Form 8-K a statement identifying any information called for in Item 1.05(a) that was not available and file an amended 8-filing. Reflecting that cyberattacks sometimes compound over time, rather than present as a discrete event. Stating
Discussion
- New information on a reported cyber incident will become available. Instruction 2 of item 1.05 directs companies to file an amended Form 8-K with respect information called for in item 1.05(a) of Form 8-K that was not determined or was unavailable at the time of the initial Form 8-K filing.
- Registrants are reminded that they have a duty to correct prior disclosures that the registrant determines are untrue, or omitted material facts, as to not make the disclosure misleading, or a duty to update disclosure that becomes materially inaccurate after it is made.
- When a registrant finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parcelled among the multiple intrusions to render each by itself immaterial.
Conclusion
The SEC cyber rule is a cybersecurity regulation that is both global in scope and industry sector agnostic. The rule focuses on both ‘Left and Right of Bang’. Setting out requirements for reporting both material cyber risks and material cyber incidents. Driving cybersecurity risk management into the board rooms of covered registrants. While the SEC removed some requirements from the March 2022 proposal, the effect of the final ruling on registrants remains relatively unchanged. With both U.S domestic and Foreign Private Issuers facing significant compliance challenges. They are required to report material cyber risks and material cyber incidents as expected by a ‘reasonable investor’ to the regulator. Cyber risks and cyber incidents that require a registrant to have appropriate cyber risk management processes; governance; reporting and remediation; to identify appropriate board subcommittees; the cyber experience of the management that assess cyber risks and incidents; and the processes by which boards are informed of material cyber risk and incidents. Information that investors can use, should they choose to question the role of the board in the oversight and assurance of cybersecurity risk management and incidents.
The three tenets a covered registrant should address to comply with the final rule are ‘materiality’, ‘reasonableness’ and ‘adequacy’. Assessing and mitigating material cyber risks and assessing and managing material cyber incidents as seen by a reasonable investor, is critical to complying to the final rule.
The first challenge covered registrants face is defining materiality, for which there is case law. However, as the rule discusses, materiality is not just defined as a short-term measure, it can also include the medium and longer-term effects of cyber incidents including loss of customers, the effects on an organisations brand, the theft of critical IP that is the basis of product development, or the longer-term effects of civil and criminal liabilities and regulatory penalties, that can affect cashflow. Along with materiality comes an understanding of the role of a reasonable investor, for which there is little case law. Defining who is a reasonable investor, their expectations of an organisation and the bar a reasonable investor sets for materiality, is a further challenge that has to be defined by a registrant.
The final tenet is ‘adequacy’, and what constitutes adequate management of cybersecurity risks. The SEC must itself comply to the U.S FISMA law, that sets out requirements for compliance to both cyber risk management under NIST SP 800-37r2 which references NIST Cybersecurity Framework(CSF) profiles and utilizes NIST SP 800-53r5 security controls as a baseline. The SEC itself undergoes an annual FISMA[22] audit by the Office of the Inspector General. Using the FY 2023 CIO FISMA metrics as defined by CISA[23], assessing the SECs cybersecurity maturity against 9 compliance domains. The final rule requires registrants to have a clear understanding of all their physical and logical cyber assets, potentially including those within their supply chains. Those digital assets include data held on premises and off premises, applications, APIs, infrastructure as code. The awareness of all digital assets creates an interesting paradox, a registrant must know about its assets to attest cybersecurity risk management.
The prescriptive nature of the SEC ruling makes it difficult to recommend with any degree of certainty what the SEC will be judging as adequate, pending enforcement action against a registrant. However, utilising a cybersecurity risk management framework approach similar to that used by the SEC, would seem to demonstrate a reasonable and defensible baseline for adequately meeting regulatory compliance.
Finally, SEC registrants should pay attention to the regulatory landscape ahead for cybersecurity risk management and the need to consider harmonisation of regulatory compliance. The EU is moving ahead with cybersecurity regulations for Critical National Infrastructure (CNI) providers (EU NIS 2)and Financial Institutions (Digital Operational Resilience Act (DORA)). The U.S Department of Defense (DoD) requires contractors and subcontractors covered by contracts that include DFARS 252.204-7012, 7019 and 7020 to comply with the NIST SP 800-171 cybersecurity standard or risk losing a contract. In each case cyber regulation that require covered entities implement similar requirements to those set out by the SEC cyber rule. Requirements that increase the legal and compliance risks of members of the boards of covered entities, that could include civil and/ or criminal liabilities while creating cost of compliance challenges.
[1] https://www.sec.gov/files/rules/final/2023/33-11216.pdf
[2] https://www.sec.gov/our-goals#:~:text=The%20SEC’s%20long%2Dstanding%20three,capital%20formation%E2%80%94remains%20its%20touchstone.
[3] https://www.sec.gov/files/fy-2022-independent-evaluation-sec-implementation-fisma-2014-report-no-574.pdf
[4] https://www.sec.gov/news/press-release/2022-206#:~:text=The%20Securities%20and%20Exchange%20Commission,increase%20over%20the%20prior%20year.
[5] https://www.sec.gov/files/form8-k.pdf
[6] https://supreme.justia.com/cases/federal/us/426/438/
[7] https://supreme.justia.com/cases/federal/us/485/224/
[8] https://supreme.justia.com/cases/federal/us/563/27/
[9] https://www.ecfr.gov/current/title-17/chapter-II/part-230
[10] https://www.ecfr.gov/current/title-17/chapter-II/part-240
[11] https://corpgov.law.harvard.edu/2016/10/13/the-reasonable-investor-of-federal-securities-law/
[12] https://jcl.law.uiowa.edu/sites/jcl.law.uiowa.edu/files/2021-08/Rose_Final_Web.pdf
[13] https://www.yalelawjournal.org/forum/hobby-lobby-and-the-dictionary-act
[14] https://thelawdictionary.org/adequate/
[15] https://georgewbush-whitehouse.archives.gov/omb/circulars/a130/a130appendix_iii.html
[16] https://www.congress.gov/bill/113th-congress/senate-bill/2521
[17] https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
[18] https://augustagrp.com/left-of-bang-cyber-2-0
[19] https://www.ecfr.gov/current/title-17/chapter-II/part-229
[20] https://www.sec.gov/files/form20-f.pdf
[21] https://www.sec.gov/files/form6-k.pdf
[22] https://www.sec.gov/files/fy-2022-independent-evaluation-sec-implementation-fisma-2014-report-no-574.pdf
[23] https://www.cisa.gov/sites/default/files/2023-06/FY23_FISMA_CIO_Metrics_v2_May-2023-Final_508.pdf