On March 9, 2022, the Securities and Exchange Commission (SEC) announced proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. These proposed amendments impact all public companies subject to the reporting requirements of the Security Exchange Act of 1934.
To summarize this proposal and learn how to successfully prepare for them, read on.
What’s the Primary Objective of this Proposal?
This proposal aims to fill the gap between investors and the security risk management efforts of public issuers. Cybercrime is growing in prevalence, and supply chain attacks introduce additional complexities to the already intricate field of data breach prevention.
To address investor concerns about public issuer safety, SEC proposes to mandate a wide range of cybersecurity disclosures between public suppliers and investors. This amended notification standard will give investors greater awareness of the risk mitigation efforts of public suppliers and the effectiveness of these strategies.
With cyber threats encroaching from all directions, investors have a growing interest in the risk mitigation efforts of public suppliers and the effectiveness of these efforts.
“I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting."
- Gary Gensler, SEC chair
Submitting Public Comments
The Security and Exchange Commission published these proposed amendments on March 9, 2022. The proposal is open for public comment for 60 days following this date or for 30 days following publication in the Federal Register, whichever is longer.
Public comments are an opportunity to share any concerns or suggestions about SEC’s proposed amendments. Comments can be submitted through this link.
A Summary of the Proposed Amendments
The proposed amendments aim to achieve consistent incident disclosure practices between registrants and investors in two areas:
- Security incident reporting
- Risk management, strategy, and governance reporting.
With improvised incident reporting and deeper visibility into each registrant’s risk management practices, investors can make informed decisions about the viability of new and prospective public supplier relationships.
Incident Disclosure Proposed Amendments
The SEC proposes to widen the scope of events triggering incident disclosure to investors. These proposed amendments will impact Form 8-K, Form 6-K, Form 20-F, and Regulation S-K.
Amendments to Form 8-K
Companies advising shareholders of a major incident must file form 8-K (the “Current Report”) to the SEC.
Currently, four categories of events trigger a public company’s obligation to file Form 8-K under Section 1 - Registrant’s Business and Operations.
SEC proposes to add a 5th trigger to the Registrant’s Business and Operations category, item 1.05 - Material Cybersecurity Incidents.
A cybersecurity incident is regarded as material if it has the potential of impacting a shareholder's investment decisions.
Material cybersecurity incidents could include the following:
- Unintentional data exposures, also known as Data Leaks
- Intentional sensitive data exposures caused by cybercriminals
- Events compromising the integrity and availability of asset systems
- Events disrupting business continuity
- Sensitive data theft
- Credential compromise potentially leading to loss or liability
- Ransomware attacks, where cyber criminals demand a ransom payment in exchange for restored system access
- Cybercriminals threatening to either sell or publicly disclose sensitive data.
Item 1.05 will require registrants to disclose the following details about a material cybersecurity incident within four days of its occurrence:
- When the incident was discovered
- Whether the incident was stopped or if it’s ongoing
- A description of the incident
- Known impacts on business operations
- Details of any stolen or altered data
- Details of any unauthorized data disclosures
- Details of any remediation efforts.
It isn’t always possible to have the complete details of a cyber event in less than four days. Under the proposed addition of item 1.05, registrants will be required to delineate a material incident to the best of their knowledge when submitting Form 8-K.
Form 8-K can be accessed here.
A materiality classification is subjective as it depends on the perceived risk thresholds of each shareholder. Under the proposed addition of item 1.05, registrants will need to quickly determine when investors would classify an incident as material by considering the unique context of each cyber event.
Public suppliers should define risk thresholds shortly after establishing a new investor relationship to accelerate this process and ensure Form 8-K is submitted within the narrow four-day window.
Learn how to define risk thresholds.
How UpGuard Can Help
UpGuard helps public suppliers comply with SEC’s proposed incident disclosure amendments through a five-pillar framework.
1. Fully Managed Data Leak Detection
UpGuard’s proprietary AI-powered data leak detection engine scans the dark web and surface web for exposures that could facilitate system compromise. To eliminate false positives, results are reviewed by expert analysts before being fed through remediation workflows.
The rapidity of data leak detection and remediation that’s possible with UpGuard means security staff can address exposures before they're detected by cybercriminals, decreasing the potential for data breach events.
Investors will find such an exemplary degree of cyber resilience very impressive as it will reduce the frequency of unfortunate incident disclosures.
Learn more about UpGuard’s data leak detection capabilities.
2. Third-Party Risk Management
UpGuard’s team of TPRM experts help public suppliers augment their vendor risk management efforts and rapidly scale security and regulatory compliance across the third-party network.
Learn more about UpGuard’s TPRM managed services.
3. Attack Surface Monitoring
UpGuard’s attack surface monitoring range is broad, starting from the internal network and extending to the third and even fourth-party network. Security vulnerabilities are detected based on the attributes of over 70 advanced attack vectors. By helping SEC registrants rapidly detect and remediate security vulnerabilities, UpGuard could prevent malware injections leading to ransomware attacks and supply chain attacks.
Learn more about UpGuard’s attack surface monitoring capabilities.
4. Vendor Tiering
UpGuard’s Vendor Tiering feature further reduces the potential of third-party breaches while also supporting an efficient distribution of remediation efforts.
With Vendor Tiering, public suppliers can rank their vendors by level of potential security posture impact. This organization method ensures that the most critical vendors receive the security attention required to prevent material cybersecurity incidents.
The video below summarizes Vendor Tiering and associated features supporting enhanced Vendor Risk management.
Learn more about Vendor Tiering.
5. Executive Reporting
The first three pillars of this framework minimize the need for incident disclosure by addressing all vulnerabilities facilitating system compromise. But when an incident disclosure is required, executive reports can be generated with a single button click.
The following details are available to include in executive reports:
- A list of all subsidiaries for a high-level overview of your entire organizational structure
- Overall risk breakdown
- Security rating distribution
- Risk category breakdowns
- Geolocation risk reports.
To support a case of exemplary security due diligence, compliance reports can also be instantly generated and exported in either excel or PDF format.
Amendments to Form 6-K
Foreign Private Issuers (FPIs) - any foreign issuer that isn’t a foreign government - are not required to file current reports via Form 8K. Disclosures are instead submitted via Form 6-K.
The SEC proposes to amend General Instruction B of Form 6-K to include cybersecurity incidents as a reporting topic. Reporting triggers will mirror the details outlined in proposed item 1.05 of Form 8-K.
Form 6-K can be accessed here.
Amendments to Form 20-F and Regulation S-K
Under the proposed amendments to Form 20-F and Regulation S-K, registrants will be required to:
- Update disclosures relating to previously disclosed cybersecurity incidents
- Disclose when a series of previously undisclosed immaterial cybersecurity events become material, to the extent known by management.
These amendments will be reflected in items:
- 106(d) of Regulation S-K
- 16J(d) of Form 20-F.
Form 20-F can be accessed here.
Regulation S-K can be accessed here.
Risk Management, Strategy and Governance Disclosure Proposed Amendments
To support intelligent investment decisions, awareness of a public supplier’s security efforts must be continuous and not limited to disclosures following a cyber event.
The SEC aims to achieve this by standardizing enhanced disclosure of a registrant’s cybersecurity risk management, strategy, and governance. The proposal requires registrants to:
- Disclose whether cybersecurity initiatives are included in business strategies, financial plans, and capital allocations
- Describe its policies and procedures for managing risks associated with different cybersecurity threats
- Disclose the board’s oversight of cybersecurity risks and management’s role and expertise in assessing and managing cybersecurity risk
- Disclose the board’s oversight of cybersecurity risks and management’s role and expertise in implementing cybersecurity policies, procedures, and strategies.
The SEC also proposes disclosure regarding each board member's cybersecurity expertise. This amendment will be reflected in item 407 of Regulation S-K and Form 20-F.
If any board members have cybersecurity expertise, proposed item 407(j) of Regulation S-K and Form 20-F will require their names and expertise details to be disclosed in annual reports and certain proxy filings.
How UpGuard Can Help
UpGuard’s shared profile feature allows SEC registrants to share their security posture efforts and related security documentation with current and prospective investors.
By referencing completed security assessments in a registrant’s Shared Profile, investors can instantly evaluate risk management efforts and bypass the time-consuming process of requesting specific security posture details. This immediate feedback will help SEC registrants comply with the proposed amendments to risk management, strategy, and governance disclosures.
Public supplier customers of UpGuard have the option of including the following details in their Shared Profile:
- Security Ratings - Security ratings quantify security postures based on 70+ attack vectors. Investors will also be able to compare a registrant’s security rating against industry standards. Learn more about security ratings here.
- Security Contact - Contact information for key team members responsible for risk management, strategy, and governance.
- Company Description - A summary of an SEC registrant’s scope of services.
- Security Questionnaires - Completed questionnaires commonly requested by current and prospective investors.
- Supporting Documentation - Any security documentation that could influence investment decisions. These could include compliance certifications such as PCI DSS, SOC 2, ISO 27001, FedRAMP, etc.
See the video below for a summary of UpGuard’s Shared Profile feature:
UpGuard Can Help You Prepare for SEC’s Proposed Amendments
UpGuard’s suite of attack surface management features mitigates material incidents requiring disclosure while giving investors deep visibility into the cybersecurity performance of public suppliers.
