Complying to the SEC Final Cyber Rule

By: Andy Watkin-Child, Ted Dziekanowski

Introduction

The Securities and Exchange Commission (SEC) has a long-standing mission to protect  investors (1), maintain fair, orderly, and efficient markets (2), and facilitate capital formation  (3). A mission it has carried out for over 88 years, for the ‘largest, most sophisticated and  most innovative capital markets in the world’. It should be of no surprise therefore that the  SEC has now issued the final rule on cybersecurity (“Final Rule”) effective (5th September  2023), effecting US Domestic and Foreign Private issuers and industry sectors covered by  the Securities and Exchange Act 1934.  

Board Directors and Officers of corporations have many obligations. Obligations that include  a responsibility to determine and manage their organizations strategic objectives; maintain  their fiduciary responsibility to shareholders to maximize the capital entrusted to them to  grow the business in line with its strategic objectives; and a responsibility to all stakeholders  to manage risks to the organization’s financial statements. Risks that include cybersecurity,  that have developed significantly over the past 10 years, leading to the introduction of cyber  regulation that now includes the SEC final rule. 

Digital data has become the most important resource of most firms. Data of all types is  used for product design, development, operations, manufacturing, financial control, sales,  marketing and human resources. Data that resides inside and external to a registrant,  between its suppliers and ICT providers. The risk of data theft, destruction or manipulation  has become one of the most significant risks and obligations for boards of Directors to  manage. With the introduction of cybersecurity regulation boards fiduciary obligations to  manage data changed significantly. As Boards of Directors and Officers are accountable  for the establishment of the necessary governance, that allows for the creation of risk  management processes that identify, assess, treat and monitor risk. Ensuring that data  controlled by the corporation can have an appropriate level of protection to ensure its  Confidentially, Integrity and Availability (CIA). 

However, the SEC Rule on Cyber Risk and Incident Reporting along with developments in  EU regulations (NIS 2.0 and the Digital Operational Resilience Act (DORA) ), have greatly  expanded the universe of firms that are required to demonstrate that they manage all  material cyber risk, and report on incidents to regulators in a timely manner. These various  regulations, because of their prescriptive nature, raise two questions. Firstly, how much is  enough to satisfy adequate compliance. Secondly what assessment methodology provides  adequate assurance to a reasonable investor, and for that matter regulators, that covered  entities are meeting their compliance obligations. This paper proposes, in the authors  opinion, a possible solution which offers a treatment of the material cyber risks required by  the SEC final rule, and European Union(EU) cybersecurity regulations, that include EU NIS 2  and DORA.

Executive Summary

The SEC final rule requires registrants to demonstrate a robust and repeatable process  for compliance, including governance, risk management, board oversight, assurance and  attestation. The final rule is based upon the basic assumption that it is the responsibility  of the registrant to determine its ‘material cyber risks’ and ‘material cyber incidents’,  as viewed through the lens of a reasonable investor. It is the responsibility of the  board, board subcommittees and accountable executives to understand and manage the  effects of those risks on its their business, on behalf of their stakeholders. Holding the  aforementioned groups under the SEC rule accountable for their actions. 

Cyber is a complex risk to manage, it is a risk that touches all aspects of an organization’s  financial statements and now regulated by the SEC for covered registrants. In addition,  from October 2024, EU Critical National Infrastructure (CNI) providers, Financial  Institutions (FIs) and their ICT Suppliers will also be required to comply with cybersecurity  risk management regulations under EU NIS 2 and DORA. Regulations that adopt similar  language to the SEC final rule, requiring board to demonstrate the cybersecurity risk  management of their organization. The prescriptive nature of these regulations makes the  determination of ‘adequate’ compliance difficult. There is no definition of adequate cited by  the SEC (or EU NIS 2 and DORA), so what does adequate look like? 

The authors believe that adequacy can be demonstrated by adopting the frameworks and  standards that already exist under US FISMA (Federal Information Security Modernization Act) regulation. Regulation that adheres to Office of Management and Budget A-130. The OMB has responsibility for overseeing regulatory compliance of US Federal Agencies  and defines adequate security as ‘security commensurate with the risk and magnitude  of the harm resulting from the loss, misuse, or unauthorized access to or modification  of information. This includes assuring that systems and applications used by the agency  operate effectively and provide appropriate confidentiality, integrity, and availability,  through the use of cost-effective management, personnel, operational, and technical  controls.’ 

The SEC is required to comply with FISMA, which specifies the use of NIST guidance and  the Federal Information Processing standards (FIPS). Which includes implementing NIST  SP 800-37 and the recommended use of Cybersecurity Framework (CSF) Profiles. The  SEC undergoes an annual FISMA audit , assessing its cybersecurity risk management  compliance and maturity against 9 security domains, including Risk Management, Supply  Chain Risk Management, Configuration Management, Identity and Access Management,  Data Protection and Privacy, Security Training, Information Security Continuous Monitoring,  Incident Response, and Contingency Planning. Compliance is audited under the auspices  of the Office of Inspector General, typically performed by a 3rd party auditor. The SEC is  assessed against the FY 2022 core Inspector General FISMA metric evaluation guide. 

The question is. If the SEC manages cybersecurity risks using Federal cybersecurity, risk  frameworks and standards, that can be reasonably considered ‘adequate’. Is it reasonable  to assume that if a registrant utilizes the same frameworks and standards, and the same methodology of assessment, a registrant can demonstrate adequate compliance to the  SEC rule? Is there then a reasonable argument to be made that the registrant is adopting  ‘adequate’ cybersecurity risk management compliance, and by extension compliance to the  SEC final rule? 

In our opinion that the answer to this question is a qualified yes, ‘If its good enough for  Federal Government, it should be good enough for a registrant’. Cyber however is a  complex risk to manage and regulatory compliance is a complex process, as we discuss in  our papers ‘The regulatory cyber-risk elephant in the room, impacting the management of  Federal cybersecurity ’, ‘FISMA, RMF and DoDi 5000.90 ’ and ‘The Small Business Problem  that must be addressed to secure Federal Government and the global Defense Industry  base (DIB) . For many registrants the legal and compliance risks associated with the SEC  final rule are significantly greater than the costs of compliance, and registrants have little  choice but to comply.

Definitions and Considerations

The final rule is underpinned by three core tenets that are used consistently throughout,  that registrants are required to resolve to comply with the rule. These tenets are  ‘Materiality’, ‘Reasonableness’ and ‘Adequacy’. The rule makes clear that the decisions  registrants make to assess, report and re-mediate cybersecurity risks and cybersecurity  incidents are based upon the ‘materiality’, as determined by a ‘reasonable investor’. In our  paper “The SEC Final Rule – Materiality, Adequacy, and the Role of a Reasonable Investor”  we discuss in detail the definitions of ‘Materiality’, ‘Reasonable’ and ‘Adequate’, that a  registrant should consider when complying to the final rule. As registrants identify, assess  and mitigate material cybersecurity risks and incident, registrants should consider the  definition of ‘adequate’ carefully.

What does adequate look like?

No organization can secure all risks economically. Therefore, to comply with the SEC  final rule, it is critical registrants have a clear path through to compliance. A path that  demonstrates they have adopted an adequate level of cybersecurity risk management  and mitigation. One that could in the worst case be demonstrated in court, should there  ever be a requirement to challenge a registrant’s regulatory compliance. This requires  a compliance program that can evolve as cybersecurity risk management and incident  response evolves, incorporating lessons learned through continuous improvement. 

It is reasonable to assume that by aiming to comply to the same or similar frameworks  and standards as the SEC. An argument can be made by a registrant that they are taking  adequate and reasonable steps to comply in part to the final rule, prior to an evaluation of  materiality. If it is delivered through a robust governance and 3 Line of Defense (3 LoD)  framework for oversight, assurance, attestation and reporting.

A compliance road map should include:

Risk Management Culture

Cyber is an enterprise-wide risk. Cyber risks can originate from any occurrence that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems whether they are internal or external to the registrant, authorized or not. What this means in practice is that a registrant must embed cybersecurity risk management into the culture of the organization. From Senior leaders/ executives that provide the strategic vision, top-level goals and objectives for the organization and create strategic, financial and compliance risks; mid-level leaders that plan and execute the organizations strategic vision and create and manage operational, legal and compliance risks; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions and create operational, legal and compliance risks. Risk management is a comprehensive process that requires organizations to build a culture and capabilities to:

  • Frame risks: to establish the context for risk-based decisions and governance
  • Assess risks: processes to evaluate the threats and vulnerabilities an organization faces, to enable an adequate economic response.
  • Respond to risks: mitigating the assessed risks.
  • Monitor risks: on a continual basis to ensure continual risk mitigation.
  • Driving an organization culture that identifies, assesses, mitigates and reports risk without the fear of reprisal.
Governance Framework

The SEC final rule requires registrants to:

  • Describe the board’s oversight of risks from cybersecurity threats, and, if applicable “identify any board committee or subcommittee responsible” for such oversight “ and “describe the processes by which the board or such committee is informed about such risks.”
  • Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. Disclosing management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.”

Descriptions that registrants are required to disclose to the regulator, supported by the necessary data. Disclosure that will be used by the regulator and investors to take appropriate actions as they assess a registrant’s ability to manage material cyber risks and incidents. Registrants will be required to demonstrate risk identification, assessment, control effectiveness, mitigation, oversight, assurance and attestation. That is best achieved through a robust governance process. Fig 2 outlines an appropriate model for the governance of cybersecurity risk management, that includes the ‘3 Line of Defense’. It articulates the relationships between and the roles and responsibilities of all internal and external compliance stakeholders. It is simple to understand and execute and ensures that the appropriate information is provided to board sub-committees for the oversight and assurance of material cyber risks and material cyber incidents. Ahead of board attestation and submission to the regulator.

governance graphic
A Cybersecurity Risk Management Framework (RMF)

The rule requires registrants to disclose.

  • The registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.
  • Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

All organizations face risks for which an RMF can provide a structure for the management of risk. The RMF provides the visibility of risks and enables an organization to prioritize the management of risk, put in place the appropriate Plans of Action and Milestones (POAM) to manage risk and enable an organizations leadership to understand the enterprise-wide risk factors that affect performance, enabling informed business decisions.

“FISMA and OMB A-130 require external providers handling federal information or operating systems on behalf of the federal government to meet the same security and privacy requirements as federal agencies. Also, the controls for systems processing, storing, or transmitting federal information are in contracts or other formal agreements. The RMF can be effectively used to manage supply chain risk” . The RMF defines a consistent, robust and repeatable process to achieve efficient, cost-effective cybersecurity risk management processes.

Facilitates effective communication between senior leaders and executives at the organization and mission/business process levels and system owners at the operational level.

  • Facilitates organization-wide identification of common controls and the development of organizationally tailored control baselines, reducing the workload on individual system owners and the cost of system development and asset protection
  • Reduces the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services
  • Reduces the complexity of systems by eliminating unnecessary functions and security and privacy capabilities that do not address security and privacy risk
  • Enables the Identification, prioritization, and focuses resources on the organization’s high value assets (HVA) that require increased levels of protection, taking measures commensurate with the risk to such assets

An organization that adopts an RMF such as NIST SP 800-37R2 is required to ensure
that it is prepared to implement a risk management life cycle and that it has (1) clearly defined roles for executing an RMF; (2) a risk management strategy; (3) completed an organization-wide risk assessment; (4) adopted a tailored control baseline; (5) identified common controls available for inheritance; (6) a business impact assessment of its systems and (7) adopted an organization wide strategy for control effectiveness monitoring.

Disclosure, oversight, assurance and attestation

The final rule requires the boards of covered registrant disclose a significant amount of information to the regulator. Information that will be used by both the regulator and market participant to inform investment decisions to challenge the allocation of capital made by the board to manage its material cyber risk and incidents. Cybersecurity risk management is a continuous process feeding a registrant’s material cyber risk reporting through its 10-K submissions, and a process that identifies material cyber security incidents through the registrant’s cyber incident response and recovery processes and 8-K submissions. The final rule requires at a minimum boards of registrants to attest and disclose amongst others.

The registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. (p.61)

  • Whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how. (p.63)
  • Whether they engage assessors, consultants, auditors or other third-party connections with their cybersecurity. Including whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes. Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. (p.63)
  • The board’s oversight of risks from cybersecurity threats,” and, if applicable “identify any board committee or subcommittee responsible” for such oversight “ and “describe the processes by which the board or such committee is informed about such risks.” (p.68)
  • Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats.” requiring the disclosure of management positions or committees “responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.” (p.69)
  • The material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. (p.184)
  • Specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident. (p.185)

Disclosure that requires registrants assess oversight, assure, attest and report sensitive information to the regulator that will also be used by market participants to evaluate a registrant’s cyber posture. The complexity of this process requires registrant to implement a robust process (Fig 4) for the continual identification and assessment threats, vulnerabilities and associated cyber risks, the identification of appropriate controls to mitigate cyber risks, the testing of control effectiveness, the demonstration of risk mitigation and the reporting or both material cyber risks and incidents to the regulator.

Cyber risks oversight and assurance is a continuous process. A registrants business strategy, financial performance, operations, cyber threats and cyber vulnerabilities change continually, requiring continual evaluation of its material cyber risks, risk mitigation and reporting. Enabling registrant to manage cyber risk mitigation and protect the organization from material cyber incidents. In the event of a material cyber incident a registrant must also demonstrate that its incident response and recovery processes effectively manage the incident. As deemed necessary by a reasonable investor.

Conclusion

Cybersecurity risk management presents more challenges to an organization than any other form of security, and now it is regulated. Regulation that in the case of the SEC final rule requires registrants to have a clear understanding of the definitions of ‘Material’ ‘Reasonable’ and ‘Adequate’ as it related to the registrant’s oversight, assurance and remediation of material cyber risk and material cyber incidents. Definitions of ‘materiality’, ‘reasonableness’ and ‘adequacy’ form the basis of the SEC final rule and the core tenets around which a registrant must demonstrate ‘adequate’ compliance. The final rule drives cybersecurity risk management into the board rooms of covered registrants, requiring boards to demonstrate the management of material risks. Risk management that a registrant maybe called upon to demonstrate the adequacy of the requirements set out in the final rule. However, with no definition of ‘adequate’ registrants are left to make their own judgment as to what is adequate compliance.

Adopting a framework or standard that is already recognized by US Federal agencies seems to be a practical solution to compliance to the SEC final rule. The Risk Management Frameworks (RMF) along with CSF profiles may support a registrant’s ability to demonstrate a reasonable level of assurance to the rule, that is repeatable, scalable and one that is capable of quantifiable improvement. A registrant that can demonstrate that it complies or has started to comply to a reasonable baseline of cybersecurity risk management, has a strategy to improve its cybersecurity maturity and can report against agreed metrics is likely to be able to report to the SEC adequate compliance. By adopting a framework and standards that are already recognized makes it easier for registrants to demonstrate adequacy of compliance, ‘as they are eating the same dog food as the SEC’. The frameworks and standard are also assessable in any jurisdiction where those frameworks and standards are recognized , reducing the costs of oversight and assurance and setting common standards for compliance across its business. Organizations required to adopt the SEC final rule, EU NIS 2 and DORA face similar compliance requirements, adopting a standard approach for compliance is cost effective and reduces compliance complexity. Provides board subcommittees with the information necessary to oversight and assure cyber risk and for boards to attest cybersecurity risk compliance, consistently and repeatably.

Compliance to the final rule requires an organization demonstrate it understands and manages its material cyber risks, and material cyber incidents as we discuss in our paper “The SEC Final Rule – Materiality, Adequacy, and the Role of a Reasonable Investor”. That is best achieved through existing cyber risk management, cyber security and governance frameworks and standards that includes the 3 Line of Defense. Compliance to the rule requires a registrant be prepared to demonstrate that it has taken adequate steps, as seen by a reasonable investor to address its material cyber risks and incidents. Or face the potential of legal action that could come from a regulator, an investor or initiated by a Whistleblower. Forearmed is prepared.

References

  1. https://www.sec.gov/our-goals#:~:text=The%20SEC’s%20long%2Dstanding%20three,capital%20 formation%E2%80%94remains%20its%20touchstone
  2. https://www.sec.gov/files/rules/final/2023/33-11216.pdf 
  3. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN
  4. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554&from=EN
  5. https://www.congress.gov/bill/113th-congress/senate-bill/2521 
  6. https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf 
  7. https://www.sec.gov/files/fy-2022-independent-evaluation-sec-implementation-fisma-2014-report no-574.pdf 
  8. https://www.cisa.gov/sites/default/files/2023-01/fy_2022_core_ig_fisma_metrics_evaluation_ guide_05-12-22.pdf 
  9. https://augustagrp.com/fisma%2C-omb-and-the-rmf-1 
  10. https://augustagrp.com/dodi-5000-90%2C-fisma%2C-scrm 
  11. https://augustagrp.com/small-business-cyber-1
  12. https://www.linkedin.com/feed/update/urn:li:activity:7104312138407530496/
  13. https://csrc.nist.gov/pubs/sp/800/37/r2/final
  14. https://www.nist.gov/cyberframework/examples-framework-profiles
  15. https://www.nist.gov/cyberframework/perspectives#international

Share this paper...

Facebook
LinkedIn
X
Skip to content