By: Andy Watkin-Child, Ted Dziekanowski
Introduction
The Securities and Exchange Commission (SEC) has a long-standing mission to protect investors (1), maintain fair, orderly, and efficient markets (2), and facilitate capital formation (3). A mission it has carried out for over 88 years, for the ‘largest, most sophisticated and most innovative capital markets in the world’. It should be of no surprise therefore that the SEC has now issued the final rule on cybersecurity (“Final Rule”) effective (5th September 2023), effecting US Domestic and Foreign Private issuers and industry sectors covered by the Securities and Exchange Act 1934.
Board Directors and Officers of corporations have many obligations. Obligations that include a responsibility to determine and manage their organizations strategic objectives; maintain their fiduciary responsibility to shareholders to maximize the capital entrusted to them to grow the business in line with its strategic objectives; and a responsibility to all stakeholders to manage risks to the organization’s financial statements. Risks that include cybersecurity, that have developed significantly over the past 10 years, leading to the introduction of cyber regulation that now includes the SEC final rule.
Digital data has become the most important resource of most firms. Data of all types is used for product design, development, operations, manufacturing, financial control, sales, marketing and human resources. Data that resides inside and external to a registrant, between its suppliers and ICT providers. The risk of data theft, destruction or manipulation has become one of the most significant risks and obligations for boards of Directors to manage. With the introduction of cybersecurity regulation boards fiduciary obligations to manage data changed significantly. As Boards of Directors and Officers are accountable for the establishment of the necessary governance, that allows for the creation of risk management processes that identify, assess, treat and monitor risk. Ensuring that data controlled by the corporation can have an appropriate level of protection to ensure its Confidentially, Integrity and Availability (CIA).
However, the SEC Rule on Cyber Risk and Incident Reporting along with developments in EU regulations (NIS 2.0 and the Digital Operational Resilience Act (DORA) ), have greatly expanded the universe of firms that are required to demonstrate that they manage all material cyber risk, and report on incidents to regulators in a timely manner. These various regulations, because of their prescriptive nature, raise two questions. Firstly, how much is enough to satisfy adequate compliance. Secondly what assessment methodology provides adequate assurance to a reasonable investor, and for that matter regulators, that covered entities are meeting their compliance obligations. This paper proposes, in the authors opinion, a possible solution which offers a treatment of the material cyber risks required by the SEC final rule, and European Union(EU) cybersecurity regulations, that include EU NIS 2 and DORA.
Executive Summary
The SEC final rule requires registrants to demonstrate a robust and repeatable process for compliance, including governance, risk management, board oversight, assurance and attestation. The final rule is based upon the basic assumption that it is the responsibility of the registrant to determine its ‘material cyber risks’ and ‘material cyber incidents’, as viewed through the lens of a reasonable investor. It is the responsibility of the board, board subcommittees and accountable executives to understand and manage the effects of those risks on its their business, on behalf of their stakeholders. Holding the aforementioned groups under the SEC rule accountable for their actions.
Cyber is a complex risk to manage, it is a risk that touches all aspects of an organization’s financial statements and now regulated by the SEC for covered registrants. In addition, from October 2024, EU Critical National Infrastructure (CNI) providers, Financial Institutions (FIs) and their ICT Suppliers will also be required to comply with cybersecurity risk management regulations under EU NIS 2 and DORA. Regulations that adopt similar language to the SEC final rule, requiring board to demonstrate the cybersecurity risk management of their organization. The prescriptive nature of these regulations makes the determination of ‘adequate’ compliance difficult. There is no definition of adequate cited by the SEC (or EU NIS 2 and DORA), so what does adequate look like?
The authors believe that adequacy can be demonstrated by adopting the frameworks and standards that already exist under US FISMA (Federal Information Security Modernization Act) regulation. Regulation that adheres to Office of Management and Budget A-130. The OMB has responsibility for overseeing regulatory compliance of US Federal Agencies and defines adequate security as ‘security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.’
The SEC is required to comply with FISMA, which specifies the use of NIST guidance and the Federal Information Processing standards (FIPS). Which includes implementing NIST SP 800-37 and the recommended use of Cybersecurity Framework (CSF) Profiles. The SEC undergoes an annual FISMA audit , assessing its cybersecurity risk management compliance and maturity against 9 security domains, including Risk Management, Supply Chain Risk Management, Configuration Management, Identity and Access Management, Data Protection and Privacy, Security Training, Information Security Continuous Monitoring, Incident Response, and Contingency Planning. Compliance is audited under the auspices of the Office of Inspector General, typically performed by a 3rd party auditor. The SEC is assessed against the FY 2022 core Inspector General FISMA metric evaluation guide.
The question is. If the SEC manages cybersecurity risks using Federal cybersecurity, risk frameworks and standards, that can be reasonably considered ‘adequate’. Is it reasonable to assume that if a registrant utilizes the same frameworks and standards, and the same methodology of assessment, a registrant can demonstrate adequate compliance to the SEC rule? Is there then a reasonable argument to be made that the registrant is adopting ‘adequate’ cybersecurity risk management compliance, and by extension compliance to the SEC final rule?
In our opinion that the answer to this question is a qualified yes, ‘If its good enough for Federal Government, it should be good enough for a registrant’. Cyber however is a complex risk to manage and regulatory compliance is a complex process, as we discuss in our papers ‘The regulatory cyber-risk elephant in the room, impacting the management of Federal cybersecurity ’, ‘FISMA, RMF and DoDi 5000.90 ’ and ‘The Small Business Problem that must be addressed to secure Federal Government and the global Defense Industry base (DIB) . For many registrants the legal and compliance risks associated with the SEC final rule are significantly greater than the costs of compliance, and registrants have little choice but to comply.
Definitions and Considerations
The final rule is underpinned by three core tenets that are used consistently throughout, that registrants are required to resolve to comply with the rule. These tenets are ‘Materiality’, ‘Reasonableness’ and ‘Adequacy’. The rule makes clear that the decisions registrants make to assess, report and re-mediate cybersecurity risks and cybersecurity incidents are based upon the ‘materiality’, as determined by a ‘reasonable investor’. In our paper “The SEC Final Rule – Materiality, Adequacy, and the Role of a Reasonable Investor” we discuss in detail the definitions of ‘Materiality’, ‘Reasonable’ and ‘Adequate’, that a registrant should consider when complying to the final rule. As registrants identify, assess and mitigate material cybersecurity risks and incident, registrants should consider the definition of ‘adequate’ carefully.
What does adequate look like?
No organization can secure all risks economically. Therefore, to comply with the SEC final rule, it is critical registrants have a clear path through to compliance. A path that demonstrates they have adopted an adequate level of cybersecurity risk management and mitigation. One that could in the worst case be demonstrated in court, should there ever be a requirement to challenge a registrant’s regulatory compliance. This requires a compliance program that can evolve as cybersecurity risk management and incident response evolves, incorporating lessons learned through continuous improvement.
It is reasonable to assume that by aiming to comply to the same or similar frameworks and standards as the SEC. An argument can be made by a registrant that they are taking adequate and reasonable steps to comply in part to the final rule, prior to an evaluation of materiality. If it is delivered through a robust governance and 3 Line of Defense (3 LoD) framework for oversight, assurance, attestation and reporting.
A compliance road map should include:
Risk Management Culture
Cyber is an enterprise-wide risk. Cyber risks can originate from any occurrence that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems whether they are internal or external to the registrant, authorized or not. What this means in practice is that a registrant must embed cybersecurity risk management into the culture of the organization. From Senior leaders/ executives that provide the strategic vision, top-level goals and objectives for the organization and create strategic, financial and compliance risks; mid-level leaders that plan and execute the organizations strategic vision and create and manage operational, legal and compliance risks; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions and create operational, legal and compliance risks. Risk management is a comprehensive process that requires organizations to build a culture and capabilities to:
- Frame risks: to establish the context for risk-based decisions and governance
- Assess risks: processes to evaluate the threats and vulnerabilities an organization faces, to enable an adequate economic response.
- Respond to risks: mitigating the assessed risks.
- Monitor risks: on a continual basis to ensure continual risk mitigation.
- Driving an organization culture that identifies, assesses, mitigates and reports risk without the fear of reprisal.
Governance Framework
The SEC final rule requires registrants to:
- Describe the board’s oversight of risks from cybersecurity threats, and, if applicable “identify any board committee or subcommittee responsible” for such oversight “ and “describe the processes by which the board or such committee is informed about such risks.”
- Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. Disclosing management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.”
Descriptions that registrants are required to disclose to the regulator, supported by the necessary data. Disclosure that will be used by the regulator and investors to take appropriate actions as they assess a registrant’s ability to manage material cyber risks and incidents. Registrants will be required to demonstrate risk identification, assessment, control effectiveness, mitigation, oversight, assurance and attestation. That is best achieved through a robust governance process. Fig 2 outlines an appropriate model for the governance of cybersecurity risk management, that includes the ‘3 Line of Defense’. It articulates the relationships between and the roles and responsibilities of all internal and external compliance stakeholders. It is simple to understand and execute and ensures that the appropriate information is provided to board sub-committees for the oversight and assurance of material cyber risks and material cyber incidents. Ahead of board attestation and submission to the regulator.

A Cybersecurity Risk Management Framework (RMF)
The rule requires registrants to disclose.
- The registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
- Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.
All organizations face risks for which an RMF can provide a structure for the management of risk. The RMF provides the visibility of risks and enables an organization to prioritize the management of risk, put in place the appropriate Plans of Action and Milestones (POAM) to manage risk and enable an organizations leadership to understand the enterprise-wide risk factors that affect performance, enabling informed business decisions.
“FISMA and OMB A-130 require external providers handling federal information or operating systems on behalf of the federal government to meet the same security and privacy requirements as federal agencies. Also, the controls for systems processing, storing, or transmitting federal information are in contracts or other formal agreements. The RMF can be effectively used to manage supply chain risk” . The RMF defines a consistent, robust and repeatable process to achieve efficient, cost-effective cybersecurity risk management processes.
Facilitates effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level.
- Facilitates organization-wide identification of common controls and the development of organizationally tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection
- Reduces the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services
- Reduces the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk
- Enables the Identification, prioritization, and focuses resources on the organization’s high value assets (HVA) that require increased levels of protection, taking measures commensurate with the risk to such assets
An organization that adopts an RMF such as NIST SP 800-37R2 is required to ensure
that it is prepared to implement a risk management life cycle and that it has (1) clearly defined roles for executing an RMF; (2) a risk management strategy; (3) completed an organization-wide risk assessment; (4) adopted a tailored control baseline; (5) identified common controls available for inheritance; (6) a business impact assessment of its systems and (7) adopted an organization wide strategy for control effectiveness monitoring.
Disclosure, oversight, assurance and attestation
The final rule requires the boards of covered registrant disclose a significant amount of information to the regulator. Information that will be used by both the regulator and market participant to inform investment decisions to challenge the allocation of capital made by the board to manage its material cyber risk and incidents. Cybersecurity risk management is a continuous process feeding a registrant’s material cyber risk reporting through its 10-K submissions, and a process that identifies material cyber security incidents through the registrant’s cyber incident response and recovery processes and 8-K submissions. The final rule requires at a minimum boards of registrants to attest and disclose amongst others.
The registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. (p.61)
- Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how. (p.63)
- Whether they engage assessors, consultants, auditors or other third-party connections with their cybersecurity. Including whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes. Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. (p.63)
- The board’s oversight of risks from cybersecurity threats,” and, if applicable “identify any board committee or subcommittee responsible” for such oversight “ and “describe the processes by which the board or such committee is informed about such risks.” (p.68)
- Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.” requiring the disclosure of management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.” (p.69)
- The material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. (p.184)
- Specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident. (p.185)
Disclosure that requires registrants assess oversight, assure, attest and report sensitive information to the regulator that will also be used by market participants to evaluate a registrant’s cyber posture. The complexity of this process requires registrant to implement a robust process (Fig 4) for the continual identification and assessment threats, vulnerabilities and associated cyber risks, the identification of appropriate controls to mitigate cyber risks, the testing of control effectiveness, the demonstration of risk mitigation and the reporting or both material cyber risks and incidents to the regulator.
Cyber risks oversight and assurance is a continuous process. A registrants business strategy, financial performance, operations, cyber threats and cyber vulnerabilities change continually, requiring continual evaluation of its material cyber risks, risk mitigation and reporting. Enabling registrant to manage cyber risk mitigation and protect the organization from material cyber incidents. In the event of a material cyber incident a registrant must also demonstrate that its incident response and recovery processes effectively manage the incident. As deemed necessary by a reasonable investor.
Conclusion
Cybersecurity risk management presents more challenges to an organization than any other form of security, and now it is regulated. Regulation that in the case of the SEC final rule requires registrants to have a clear understanding of the definitions of ‘Material’ ‘Reasonable’ and ‘Adequate’ as it related to the registrant’s oversight, assurance and remediation of material cyber risk and material cyber incidents. Definitions of ‘materiality’, ‘reasonableness’ and ‘adequacy’ form the basis of the SEC final rule and the core tenets around which a registrant must demonstrate ‘adequate’ compliance. The final rule drives cybersecurity risk management into the board rooms of covered registrants, requiring boards to demonstrate the management of material risks. Risk management that a registrant maybe called upon to demonstrate the adequacy of the requirements set out in the final rule. However, with no definition of ‘adequate’ registrants are left to make their own judgment as to what is adequate compliance.
Adopting a framework or standard that is already recognized by US Federal agencies seems to be a practical solution to compliance to the SEC final rule. The Risk Management Frameworks (RMF) along with CSF profiles may support a registrant’s ability to demonstrate a reasonable level of assurance to the rule, that is repeatable, scalable and one that is capable of quantifiable improvement. A registrant that can demonstrate that it complies or has started to comply to a reasonable baseline of cybersecurity risk management, has a strategy to improve its cybersecurity maturity and can report against agreed metrics is likely to be able to report to the SEC adequate compliance. By adopting a framework and standards that are already recognized makes it easier for registrants to demonstrate adequacy of compliance, ‘as they are eating the same dog food as the SEC’. The frameworks and standard are also assessable in any jurisdiction where those frameworks and standards are recognized , reducing the costs of oversight and assurance and setting common standards for compliance across its business. Organizations required to adopt the SEC final rule, EU NIS 2 and DORA face similar compliance requirements, adopting a standard approach for compliance is cost effective and reduces compliance complexity. Provides board subcommittees with the information necessary to oversight and assure cyber risk and for boards to attest cybersecurity risk compliance, consistently and repeatably.
Compliance to the final rule requires an organization demonstrate it understands and manages its material cyber risks, and material cyber incidents as we discuss in our paper “The SEC Final Rule – Materiality, Adequacy, and the Role of a Reasonable Investor”. That is best achieved through existing cyber risk management, cyber security and governance frameworks and standards that includes the 3 Line of Defense. Compliance to the rule requires a registrant be prepared to demonstrate that it has taken adequate steps, as seen by a reasonable investor to address its material cyber risks and incidents. Or face the potential of legal action that could come from a regulator, an investor or initiated by a Whistleblower. Forearmed is prepared.
References
- https://www.sec.gov/our-goals#:~:text=The%20SEC’s%20long%2Dstanding%20three,capital%20 formation%E2%80%94remains%20its%20touchstone
- https://www.sec.gov/files/rules/final/2023/33-11216.pdf
- https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN
- https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554&from=EN
- https://www.congress.gov/bill/113th-congress/senate-bill/2521
- https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf
- https://www.sec.gov/files/fy-2022-independent-evaluation-sec-implementation-fisma-2014-report no-574.pdf
- https://www.cisa.gov/sites/default/files/2023-01/fy_2022_core_ig_fisma_metrics_evaluation_ guide_05-12-22.pdf
- https://augustagrp.com/fisma%2C-omb-and-the-rmf-1
- https://augustagrp.com/dodi-5000-90%2C-fisma%2C-scrm
- https://augustagrp.com/small-business-cyber-1
- https://www.linkedin.com/feed/update/urn:li:activity:7104312138407530496/
- https://csrc.nist.gov/pubs/sp/800/37/r2/final
- https://www.nist.gov/cyberframework/examples-framework-profiles
- https://www.nist.gov/cyberframework/perspectives#international