Chapter 2 - Annual Plans for Your Risk Management Strategy & Governance (Form 10-K)
November 20, 2023 | Dr. James Norrie
Welcome back to the second part of our blog series regarding the new SEC cybersecurity disclosure rules – or what we refer to as “Moving Beyond the Checkbox!”
A premise underlying our interpretation of these new guidelines is the SEC is mandating clients not just measure their effort to mitigate cybersecurity risks based on inputs, so much as they can provide proof of measurable success at containing risk within your pre-established risk tolerances. This makes it an active and ongoing regulatory, compliance, and reporting process. And that is a significant shift.
At a summary level, Regulation S-K has been amended to include New Item 106 requiring companies to describe their internal and external processes, if any, for identifying, assessing, and managing material risks arising from cybersecurity threats. These take effect for fiscal years of public companies ending on or after December 15, 2023. They are recurring annual filings. This new regulation does permit the inclusion of consultants, vendors, partners, or service providers who support the execution of these processes for the company if these actively supplement your internal efforts. That suggests that when you pick a benchmark partner like cyberconIQ, whose patented and proven methods can help your organization manage its human factors risk profile to globally low benchmark levels when measured against peers, you may just want to highlight that in your filing.
But…do not be misled by the “if any” phrase contained therein. That is not an option for any modern company because no company is too small to be attacked and ever free from cybersecurity risk. Since the probability of a cybersecurity attack can never be zero, it means every company will need to disclose strategies to proactively govern and manage their cybersecurity risk to avoid a breach. This includes technical and human sources of risk, both of which must be comprehensively addressed.
The Initial Scope – What’s Changed?
As is always the case with most changes in mandatory disclosure required by the SEC, in the first year or two there is likely to be a wide variance in the substantive content of these new filings. Every industry has a different level of risk, a likely level of maturity that varies among peers, and even differences in how and why they are targeted for attacks in the first place. However, the public nature of these disclosures will mean an obvious opportunity for the SEC, analysts, and the media including cybersecurity experts to compare the scope and scale of cybersecurity governance and management processes and outcomes among peers. This creates both a significant risk and a significant opportunity for any one company to either substantially impress, or not, with its annual filings. Expect significant scrutiny of these in the coming years and arm yourself by delving deeply and quickly into a thorough understanding of the maturity of your current processes, and targets for improvements, and start assembling the documentary proof of same to include in not only your first, but in all subsequent annual filings.
In another departure from the draft rules – which required detailed discussion of the company’s prevention, detection, continuity, and recovery plans – the narrower scope in the final rules focus required discussion on a company’s processes for identifying, assessing, and managing material risks from cybersecurity threats. While still broad, we feel that is a more manageable initial scope. But, as already noted in our prior blog post, the lens to be used when preparing these filings is those of a “reasonable investor”. You must make the sufficiency or defensible insufficiency of these strategies relative to the level of risk you are incurring understandable to a non-technical audience, and that is not easy to accomplish. While discussions may include technical details, they must not use deeply technical terms, but rather offer plain language reasoning suitable for an investor. With our deep understanding of plain language policy creation and implementation, our focus on making cybersecurity training engaging, meaningful, and understandable to an all-employee audience, and our ability to make complex stochastic risk models easy to interpret for an average non-technical executive, cyberconIQ offers expert resources and support to improve your cybersecurity governance and its description in your filings.
In our client experience thus far, enhancing collaborative relationships between risk and compliance professionals and enterprise security teams must become an immediate priority. How can you get them on the same page and working together quickly to enhance and then duly explain the company’s efforts in terms that everyone can understand? Can you create and sustain a Security First Culture® that will hold up to external scrutiny and which is defensible by proving evidence of a measurable reduction in risk?
How Does this impact the Board of Directors?
Finally, the filing must not just address the strategy itself (which is the role of senior management typically) but also the company’s engagement with and the specific role the Board of Directors plays in setting and monitoring this risk to ensure it is within overall corporate risk tolerances. The SEC has clearly put forth the premise that cybersecurity compliance must be a top governance priority now.
Initially, the draft rules considered mandating public company Boards to have designated and disclosed “cybersecurity expertise” within their ranks. Also dropped were more intrusive requirements around disclosure of the frequency of board or committee discussions on cybersecurity. While these requirements were relinquished this time around, they give us insight into just how seriously the SEC is taking this regulatory shift by expressing its intent to hold companies more accountable for showing actions and results rather than simply effort. In light of that, our best advice is to proactively define and describe board oversight versus management control as part of this first annual filing. Adding this resident expertise to the Board permanently, or by selectively making it available from external sources as needed, is an investment aligned to both the spirit and eventual intent of these new regulations.
In Summary
So, as we wrap, there is a lot to consider regarding your forthcoming 10-K annual filings on cybersecurity strategy and risk governance. Are you ready to shine? If you are not currently using our Risk Management Platform, your organization is not getting the benefits of our patented, proven protection soon to be appearing as benchmark low rates of human factors risk in other companies’ public filings. If you want to join them in making a difference in your human factors risk – your largest breach risk actually – we can help you achieve these same results to include them in your future regulatory filings. Interested in learning more? Reach out to sales@cyberconIQ.com or check out our online trial today.
Stay tuned for our next chapter – Managing Risk at Your Existing Perimeter & The New Tactical Edge Security.
Want more in-depth recommendations? Read our recent White Paper on this topic here.