The SEC proposed rules and amendments are designed to increase visibility regarding public organizations’ risk management, strategy and governance. The purpose of these rules is to provide disclosures that enable investors to more accurately evaluate the cybersecurity risk exposure of public organizations and those organizations’ ability to manage and mitigate cybersecurity risks.
Cybersecurity is a growing concern among investors who want greater transparency regarding an organization’s exposure to risk. The rising frequency and cost of cybersecurity events have led to a call for greater transparency of the exposure to cybersecurity risk at publicly traded organizations.
The proposed rules and amendments are designed to provide greater transparency about an organization’s risk management, strategy, and governance and to provide timely notification of relevant cybersecurity incidents. Improving the reporting and transparency regarding an organization’s exposure to cybersecurity events allows investors to critically review their risks and evaluate the organization’s ability to manage and mitigate those risks and incidents. Given the rising costs and losses associated with a cybersecurity event, these are non-trivial factors for investors.
What are the Proposed SEC Cybersecurity Rules?
The proposed SEC rules and amendments are designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (“registrants”) that are subject to the reporting requirements of the Securities Exchange Act of 1934.”
The new proposed rules can be divided into two primary areas, disclosure of security events and strategies to manage and reduce the likelihood of a security event. In particular, the regulations are concerned with the reporting of cybersecurity incidents and the cybersecurity expertise of the Board of Directors.
Incident Discolure Proposed Amendments:
- Amend Form 8-K requirements to disclose all cybersecurity incidents within 4 business days.
- Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F. In this case, previous cybersecurity incidents must be updated, especially if they were previously negligible, but not with additional aggregated events these incidents have become material.
- Amend Form 6-K to include “cybersecurity incidents” as a reporting topic.
Risk Management, Strategy, and Governance Disclosure
- Add Item 106 to Regulation S-K and Item 16J of Form 20-F.
- Publicly traded organizations now have to describe their policies and procedures, if any, for the identification and management of risks from cybersecurity threats; this must address whether the organization considers cybersecurity as part of its business strategy, financial planning, and capital allocation.
- Requires disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.
- Amend Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise. Proposed Item 407(j) would require disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.
The regulations require reporting of cybersecurity incidents on Form 8-K. Additionally, organizations must now regularly disclose:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk;
- Updates about previously reported material cybersecurity incidents;
Finally, the regulations require that disclosure be reported and presented in Inline eXtensible Business Reporting Language (Inline XBRL).
How the Proposed SEC Regulations Affect Data-Driven Organizations
The rising cost and consequences of cybersecurity events require data-driven organizations to ensure that data, particularly sensitive PII and PHI data is secure and protected. From an investor’s perspective, it is important that public data-driven organizations, and in particular those that collect PII or PHI, have advanced and updated procedures for data security.
The emphasis of these regulations on management’s role in implementing cybersecurity policies and procedures leads to a particularly interesting question about how publicly data-driven organizations can implement controls, develop strategies and optimize risk transfers.
There already exists a divide between (a) management and security teams and (b) data engineering and DevOps teams. This division between the development of security policies and controls by management and security teams and the actual implementation of the policies and controls by data engineering and DevOps teams threaten to leave organizations open to cybersecurity risks.
Defining the controls to meet the proposed cybersecurity regulations is one step, however, actually implementing the corresponding regulations is more complicated. This is because the implementation of security controls and data access controls are performed by data engineering and DevOps teams who have their own priorities and objectives. The situation is further complicated when sensitive PHI and PII data is dispersed across a variety of data stores each with its own security features.
The division between authorization and authentication results in the following:
- Data engineers and DevOps are frustrated by spending their time managing data access controls and granting blanketed access leading to over privileged access. This significantly increases the organization’s risk exposure and can result in security incidents.
- DevOps and data engineering teams spend too much time managing access to data and security requirements only because they are the admins of the system. This increases admin costs through a cumbersome ticketing system and reduces morale as these individuals would prefer to work on their own core projects.
- Reduced productivity since data is delayed in a backlog of permission and access tickets. This reduces your organization’s customers’ time-to-value and can influence the profitability of your organization.
- Failure to meet the SEC’s cybersecurity regulations.
SEC Proposed Regulations with Satori
Satori can help relieve some of the pressure of meeting these proposed rules, particularly meeting:
- An organization’s policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
Satori’s Data Security Platform provides automated and secured policies and procedures to manage cybersecurity risks and streamlines the process of implementing these procedures, regardless of how widely dispersed the data is.
Satori’s automated and secured access to data:
- Satori continuously discovers and classifies all sensitive data (PII, PHI, Financial data and more) regardless of where it is located. The ability to rely on automated processes eliminates manual configuration, improves efficiency, reduces risk exposure, and is easier to manage.
- The Satori data portal reduces the burden on data engineering and DevOps teams. Through the data portal users can access data according to security policies through self-service data access workflows that are automated so that authorized users can access sensitive data only when required. This leaves these teams with more time to focus on value-generating projects.
- Posture Manager improves security and compliance with increased visibility and identification of users enabling data and security teams to eliminate over privileged users. Coupled with Satori’s open-source Universal Data Permissions Scanner (UDPS) that scans all data stores and determines “who has access to what” provides a comprehensive picture of where sensitive data is located and who has the potential to access this data. This helps organizations meet and exceed compliance requirements.
According to a recent Forbes article, 90% of public organization boards are not ready for the new SEC cyber rules. Satori’s Data Security Platform can help your data-driven organization prepare for the upcoming SEC disclosure requirements. The ability to develop and implement security policies and controls ensures that your organization reduces its risk and financial exposure and improves shareholder value.
To learn more
- Book a demo with one of our experts
- Read: Managing Access to Data Just Got a Whole Lot Easier
- Read: Access Control: The Dementor of Data Engineering