The 5 Ways The SEC Failed Investors On Cybersecurity

News Room

The SEC recently released their final cybersecurity disclosure rules. While it is a step forward from their admitted ineffective cybersecurity guidance from 2011 and 2018, what they chose to eliminate from the final rules fails investors in several critical ways.

Here are the top 5 things that they left out of the final rules and how these omissions failed investors:

#5 — By allowing insider trading from discovery of the incident until it is determined to be material.

While insider trading during the period from incident discovery to materiality determination was explicitly prohibited in their proposed rules, it did not make the final cut. This now takes on new meaning given management’s discretion in determining incident materiality—which is when it now needs to be disclosed—leaving the period from discovery to management’s determination of materiality open for insider trading. Let the insider trading begin.

#4 — By not requiring boards to explain how they integrate cybersecurity into business strategy, risk management and financial oversight.

The SEC originally proposed that investors would find information useful about how the board understands cybersecurity in the context of strategy, risk and financial oversight useful. However in their final rules they had a change of heart. A troubling change of view when almost 3,000 risk management executives in the 2023 Allianz Risk Barometer ranked cyber incidents as the #1 business risk in 2023. This omission also fails to recognize the boardroom as a control in the organization’s systems of cybersecurity and fails in requiring the boardroom to establish and articulate the cyber-tone-at-the-top of the enterprise, something investors would most definitely find useful.

#3 — By admitting that their prior guidance in 2011 and 2018 was largely ineffective, yet still watering down their 2023 final disclosure rules all while risks and costs rise.

In regard to the final rules, the SEC declared, “First, an ever increasing share of economic activity is dependent upon electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole. Second, there has been a substantial rise in the prevalence of cybersecurity incidents…Third, the costs and adverse consequences of cybersecurity incidents to companies are increasing…”

And with regard to the impact of their 2011 and 2018 interpretive guidance in addressing the need for the new and shiny proposed rules, they said that “current reporting may contain insufficient details, and the staff has observed that such reporting is inconsistent, may not be timely, and can be difficult to locate.”

So why water down or shut the spigot off entirely on some of the very light-weight but high impact proposals that they originally made? Rhetorical question, and moral of the story—don’t look to the SEC for leadership on cybersecurity governance or management. Their policy making significantly lags the reality of market conditions.

#2 — By failing to go beyond disclosure with more explicit rules that reflect the criticality of cybersecurity governance and management and the reality of cybersecurity risk as the top business risk facing companies globally.

Disclosure is a start and brings transparency that can drive analysis and action. But it’s a weaker response than needed after a decade of failure on an issue that moves much faster than that which brings far reaching and compound implications strategically, financially, operationally and legally,

While the SEC acknowledges systemic risk and the rise in cybercrime and its costs, their final actions don’t match their words and the reality of cybersecurity risk as the top risk facing businesses. Our almost 3,000 risk management experts from the Allianz survey would likely agree that more was needed from the SEC. The insurers who are struggling to understand and underwrite cyber risk would also likely agree, as would many investors and consumers who have been the real victims of cybersecurity incidents.

The SEC’s final rules are even more disappointing against the realization that their actions fail to live up to the precedent and standard they established on financial reporting risk in 2002 when they mandated financial experts and audit committees into existence on corporate boards. Improving boardroom leadership over these issues had an immediately positive impact on real levels of financial reporting risk.

In 2002, the SEC proved that they can regulate after the fact when the threat is as serious as the financial reporting crisis was in 2002. But anyone can see the horses after they have left the barn, and the SEC was far too soft on the boardroom’s role as a critical control in the organization’s overall system of cybersecurity. This guarantees that America’s private sector cybersecurity risk profile will remain higher than it could be.

The SEC has proven over the last decade that they cannot regulate cybersecurity effectively. Their final rules are another example of them falling short and failing to think forward on cybersecurity. The reality of cybersecurity risk will unfortunately again prove that their latest attempt is too little, too late as it falls short for investors.

Fortunately, many leading practice boards and management teams don’t wait for the SEC to tell them what to do on cybersecurity risk. They are already adopting policies and procedures that far exceed the SEC’s final and lagging rules. Investor’s should push for the implementation of policies beyond the SEC rules.

#1: By not requiring boards to identify if they have someone in the boardroom who understands cybersecurity risk.

The highest impact, least effort proposal they took off the table in their final rules is their top investor failure. They had proposed a cyber expertise disclosure provision for directors—it did not make the cut. Apparently, informing investors if someone on the board understands any of this cybersecurity stuff was deemed by the SEC not to be an important disclosure item for investors.

Again, in 2002 with regard to financial reporting risk, the SEC thought that having a financial expert in the boardroom was a good thing. The SEC rationalized the cybersecurity expertise omission with the statement, “We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.”

Of course this statement doesn’t apply to the reality of how the SEC approached the much narrower implications of financial reporting risk. And apparently the SEC believes directors can effectively govern what they don’t understand while also believing that the board doesn’t play an important roles as a part of the overall system of cybersecurity risk management.

The SEC also seems to believe that directors possess some kind of universal and magical risk aptitude that empowers them to understand and govern risk of any nature or type. The insurance industry would love to get their hands on this magical capability and apply it to cybersecurity risk and all the other types of differentiated risk that they work hard to understand and underwrite.

Change, innovation and new technologies very frequently introduce new types of risks that require new domain expertise to understand. The current discussions around AI are a good example as is the growing prevalence of systemic risk within the complex digital business system.

There’s a reason why no one goes to their plumber for dental work. Different risks require different competencies to understand and mitigate.

The SEC gave boardrooms a cybersecurity competency accountability pass with this omission. Until the SEC starts viewing the responsibilities of the board in cybersecurity risk oversight as critically as they do for financial risk oversight, leadership in cybersecurity risk governance will continue to underperform the realities of the market—causing the entire system of cybersecurity risk management to underperform and keeping levels of cybersecurity risk higher than they need to be.

Cybersecurity success starts in the boardroom (except in the eyes of the SEC) and unfortunately cyber failure often does too.

Read the full article here

Share this Article
Leave a comment