In March 2023, US President Joe Biden released the National Cybersecurity Strategy, a nationwide framework that aims, in part, to bolster the safety and security of US critical infrastructure and better protect against cyber threats, while also increasing collaboration between the public- and private-sector to achieve these efforts.
A key pillar of the National Cybersecurity Strategy will be to establish new mandatory cybersecurity requirements for critical infrastructure and for their cloud-based service providers. It is anticipated that the regulations will complement existing cyber security frameworks and guidance, including the newly revised (as of March 2023) Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. We can also anticipate sector-specific cybersecurity requirements to be published, along the lines of the Transport Security Administration’s (TSA) cyber security requirements for airport and aircraft operations and the Environmental Protection Administration’s (EPA) very own cyber security requirements for the water sector.
Beyond critical sectors, US federal and state regulators have begun to issue cyber security regulations of their own. Amid these developments, in combination with already established cyber security frameworks and guidance, it is advisable that businesses across all industries reassess their cyber security practices to ensure continued alignment with emerging legislation.
SEC public company cybersecurity disclosure rules
The US Securities and Exchange Commission (SEC) formalised rules for cyber security disclosure pertaining to public companies listed in the US to include foreign private issuers with a secondary listing in the US (“regulated entities”).
The rule is in direct response to cyber security risks rapidly becoming one of the most critical governance-related issues for public companies and is driven by both a more complex threat environment and the increasing cost of cyber security impacts to victims of attacks.
The newly published rule focuses on how companies identify and manage cyber risks within their business, as well the public disclosure of material cyber incidents. These rules have been put into the public code as of August 4, 2023, and will take effect on September 5, 2023.
Overall themes of the SEC’s proposed cybersecurity rules for publicly listed companies and regulated entities include:
1) Cyber security risk processes and procedures: This includes how public companies assess, identify, and manage material risks from cyber security threats; a description of risks from cyber threats that have materially affected or are reasonably likely to materially affect the company; a description of the board of directors’ oversight of risks from cybersecurity threats; and a description of management’s role in assessing and managing the FPI’s material risks from cybersecurity threats.
2) Reporting requirements: Public companies will, as of December 18, 2023, be required to report material cyber security incidents to the SEC within four days of discovering the incident and identifying it as material in nature. Foreign private issues are mandated to promptly disclose material cyber security incidents that they make public to their home country government, home country stock exchange, or security holders.
While included in the initial draft proposed rule, the SEC did not adopt the requirement for disclosure regarding the board directors’ cyber security expertise. The Commission decided that effective cyber security processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.
The SEC vs the New York State Department of Financial Services (NYDFS)
The final SEC cyber security rule should be considered alongside the NYDFS proposed cybersecurity regulation, issued in November 2022. The NYDFS regulation shares similarities with the SEC's rules, including the reporting of material cybersecurity incidents; however, the NYDFS requires reporting within 72 hours, compared to the SEC’s 96-hour deadline. Additionally, the NYDFS proposed rule would mandate disclosure of incidents within three specific categories: cyber events when an unauthorised user has gained access to a privileged account, a cyber event that resulted in ransomware deployed in a material portion of the covered entity’s information system, or a cyber event at a third-party provider that impacts the covered entity.
Both the SEC and NYDFS emphasise management oversight and accountability for cybersecurity, with a focus on board directors having sufficient cybersecurity expertise. The SEC's proposed rules primarily address corporate governance practices, while the NYDFS regulation focuses more on operational security controls. The proposed rule would require cyber security protocols to be integrated into enterprise business continuity and disaster recovery planning, training, and exercises across the organisation. The NYDFS regulation would also mandate specific cyber security risk mitigation measures, such as strong passwords, multi-factor authentication, penetration testing, and automated vulnerability scans.
Overall, these proposed rules aim to enhance cyber security risk management, disclosure, and reporting in the financial industry. If implemented, they would increase transparency and accountability regarding cyber security practices, helping to protect against cyber threats and promote investor confidence in the market.
- Ensuring disclosure requirements and timelines are integrated into current incident response plans;
- Incorporating cyber security strategy into overall business strategy, including vendor and third-party risk management; and,
- Implementing written policies and procedures to ensure the security of information systems and non-public information that are accessible to, or held by, third party service providers.
For US public companies and those in the financial services industry, the enhanced focus on cyber security practices by both the White House and US regulators signals that this is an area of increased regulatory and enforcement risk where robust cyber security practices are not in place.
Among the measures companies should have in place include:
From a governance standpoint, there should also be a formalised plan in place for how the board and senior leaders will be held accountable for cyber-related risks. Additionally, it will be important to ensure that senior management and at least one member of the board of directors has the necessary cyber security expertise. Ideally, the board should have a strong grasp of what material and non-material cyber security threats the business faces to ensure it is asking the right questions around how the business is defending against these threats.