On March 15, 2023, the US Securities and Exchange Commission (SEC) published a proposed amendment to Regulation S-P regarding the privacy of consumer financial information and safeguarding customer information. The rule will mandate that the regulated institutions (brokers, dealers, investment companies and registered investment advisers) implement written incident response policies for the detection, response to and recovery from unauthorized access to or use of customer information.
This proposed rule is intended to be read alongside a separate proposed cybersecurity regulation from 2022 meant to enhance and standardize disclosures of cyber security risk management, strategy, governance and incident reporting by its registered individuals and organizations. These rules generate competition to attract investors by encouraging regulated institution to demonstrate cyber security resilience.
A third proposed SEC rule from 2022 on cyber security has an expanded remit to include all publicly traded companies in the United State. The rule would mandate reporting of material cyber security incidents to the SEC within four business days, disclosure of how cyber security is incorporated into business strategy and third party risk management, and the level of cyber experience of organizations’ board directors and executives.
These proposals respond to the fact that cyber security has quickly become one of the most critical governance-related issues for public and private companies, especially in the US. This situation has been driven by the emergence of a more complex threat environment and the increasing cost of cyber security impacts such as business interruptions, ransom payments, recovery processes, protection controls, legal and compliance fees, and reputational damage. Affected clients will be required to comply with new reporting requirements for their cyber security governance and response capabilities. Control Risks can help clients navigate the forthcoming rules through a combined approach of compliance and cyber consulting to ensure continued alignment with SEC regulations.
These proposed rules formalize years of SEC guidance that encouraged organizations to apply financial disclosure concepts to the cyber security and data privacy aspects of their businesses. The amendments will also apply insider trading regulations to knowledge of cyber security incidents. The new rules respond to the fact that cyber security has become one of the most critical governance-related issues for investors, especially in the US. This situation has been driven by the increasing cost of cyber security impacts, such as business interruptions, ransom payments, recovery processes, protection controls, legal and compliance fees, and reputational damage.
Additionally, current SEC regulations apply to the unauthorized use of customer information but lack a notification requirement in the event of a data breach. The SEC is concerned that covered institutions’ plans may not cover data breach incidents and that their incident response programs may not be responsive enough to evolving threats or the need for the timely notification of impacted users. Differences between state-level data privacy notification requirements could cause inconsistent information disseminated across jurisdictions.
Takeaways for publicly traded American companies
Material cyber security incidents
- The proposed SEC regulations will amend Form 8-K to mandate the disclosure of “material” cyber security incidents within four business days of the incident being assessed as material.
- The determination as to whether an incident is material must be made “as soon as reasonably practical” and requests to delay reporting on the grounds of ongoing internal or external investigations are not allowed.
- A material incident should be declared when there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or when it would significantly alter the total mix of information made available. This threshold can be determined qualitatively, quantitatively or in the aggregate.
- Materiality assessments should include both quantitative and qualitative assessments of the likelihood of the incident meeting the conditions of a material incident and its impact.
- When reporting a material incident, companies must provide a description of the event and disclose when the incident was discovered, whether it remains ongoing, whether it includes data theft or data manipulation, its impact on business operations and the remediation status; however, these reports are not required to contain technical specifics.
- The SEC is also proposing amendments to Forms 10-Q and 10-K to update any previous corporate cyber disclosures.
Risk management and strategy
- Amended Form 8-K will mandate the disclosure of how organizations incorporate cyber security into their overall business strategy and how companies choose and oversee third-party vendors.
- Must disclose if a company has: a cyber security risk assessment and management program; engaged third parties for cyber security; policies and procedures to assess third-party risk; a cyber security program informed by past incidents; any cyber risks and incidents that have affected or could affect the company; incorporated cyber security risk management into its business strategy development.
- Amended Form 8-K will mandate the disclosure of how boards and management take responsibility for cyber risk, including: whether cyber security oversight is the responsibility of the entire board or a smaller subset; the process for informing the board of cyber security risks; how often these risks are discussed; and how the board evaluates cyber risks as part of its overall business strategy, risk management and financial oversight processes.
- Regulated institution must disclose management’s cyber expertise, including: management’s role in assessing cyber risk and risk management; the presence of a CISO and their reporting hierarchy; the process by which managers responsible for cyber security are informed of efforts and incidents; and how often cyber managers report to the board.
- Amended Form 8-K will mandate the disclosure of directors’ respective levels of cyber security expertise, including the name and nature of the expertise (e.g., work experience, degrees, certifications, other knowledge and/or skills)
Takeaways for regulated institutions
Cyber security reporting requirements
- Regulated institution must inform the SEC of material cyber security incidents within 48 hours of determining that one has occurred. This report will be communicated through a new form, ADV-C, and must include: when the incident was discovered; a description of the nature and scope of the incident; any data stolen, altered, accessed or used for unauthorized purposes; and whether the incident has been remediated or is being remediated.
- Regulated institution must inform the SEC of their corporate policies and procedures to identify and manage cyber security risks. These policies should include the following core areas:
- Risk assessment and periodic reassessment: how the organization identifies and protects against anticipated risks and hazards
- User security and access to adviser or registered fund information: including acceptable use policies, multi-factor authentication standards, implementation of the concept of least-privilege and zero-trust security models, and the security of remote access procedures that include the use of a virtual private network (VPN)
- Information protection: the implementation of information classification systems, encryption of data in transit and at rest, use of malware protection, the impact of a cyber security incident on the ability to provide advice and services, third-party data access and vendor information protection contract clauses
- Threat and vulnerability management: how the organization employs threat monitoring, endpoint detection and response, and vulnerability monitoring, including both passive and active probes
- Cyber security incident response and recovery: including cyber procedures for business continuity and disaster recovery, personnel with designated roles and responsibilities, and escalation guidelines that include notification of executives and the board
- Annual review and revision: how the organization assesses the design and effectiveness of its policies
- Board approval: the initial approval of registered fund policies and subsequent material changes
- Regulated institution must inform the SEC of cyber security risks and incidents. This includes the disclosure of risks that may materially affect adviser services and how those risks have been addressed within the organization. Regulated institution must also disclose information regarding any material cyber security incidents that have occurred in the past two fiscal years, including: which entity(ies) were impacted, when the incident was discovered and remediated, any data loss or alteration, effect(s) on operations, and its current status.
- Registered funds must also disclose this information in registration statement Forms N-1A an N-2.
Data privacy disclosure and reporting requirements
- The proposed SEC rule would mandate that covered institutions create and implement written incident response program policies reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information. These written policies must address the ability to:
- Assess incidents of unauthorized access to or use of customer information and identify impacted data and systems
- Take reasonable measures to contain the incident while preventing the spread affected customer information
- Notify impacted users whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization
- The proposed amendment also offers a new, more-encompassing definition of sensitive customer information: “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” This definition is broader than the ones currently used by at least 12 states, which would result in having to notify users of breaches that involve a wider range of personal information. The proposed rule also mandates a 30-day notification deadline following the identification of a data breach, which is shorter than the current deadlines in 15 states.
Benefits to investors
- The SEC has determined that increased transparency for investors regarding regulated institution’ cyber security policies and processes will result in more informed decision-making, greater understanding of the risks and impacts of cyber security on regulated institution that could be passed on to investors, and reduced mispricing of securities based on a lack of available information. Increased transparency will also reduce the ability of malicious cyber actors to benefit from insider information by exploiting mispricing.
Benefits to regulated institution
- The SEC has determined that increased transparency regarding cyber security governance and incident management will lower capital costs as a result of regulated institution’ improvements in or high baselines in cyber security resilience. The proposed rules will also reduce the stigma around public incident reporting, which may help soften reputational impacts and reduce compliance costs from overreporting due to previously unclear SEC cyber security requirements.
Costs to regulated institution
- The SEC has determined that its proposed rules could increase disclosures and that these may in turn increase the vulnerability of regulated institution by compounding attacks from threat actors who would now be aware of specific weaknesses. These disclosures will also increase public information about which regulated institution have experienced boards, managers and CISOs and which do not. Additionally, increased cyber security competition may increase the costs of network security measures, tools and/or personnel to maintain a market edge.
- SEC regulated institution: brokers, dealers, registered investment advisers (“advisers”), registered investment companies, and business development companies (collectively, “funds”).
- Cyber security incident: An incident or group of related incidents that significantly disrupts or degrades an adviser’s ability to maintain critical operations or leads to unauthorized access or use of adviser information that results in substantial harm to the adviser or the client/owner of the information owner/client.
- Material incident: A incident that carries with it a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or when it would significantly alter the total mix of information made available
- Critical operations: The implementation of investment strategy, processing or recording of transactions, communication with customers or clients.
- Substantial harm: Significant monetary loss or theft of personally identifiable information or intellectual property.
How Control Risks can help
Control Risks is uniquely positioned to provide your organization with the tools to succeed in this new regulatory environment by combining the expertise of our compliance and cyber consulting teams to address your every need. With over 45 years of experience, our compliance consulting team has helped clients in every sector and every corner of the globe navigate complex political, regulatory and operational environments. We have helped each of them approach ethics, compliance and governance challenges with confidence. Our cyber consulting team combines a global threat intelligence perspective with robust experience in assessing, managing and improving clients’ cyber security postures to support business continuity and resilience in an ever-changing threat landscape. Together, our expert teams can help you and your organization be compliant with regulations and competitive with your market peers in driving capital and profit.