New SEC cybersecurity rules: Five things every public company CISO should do now

Woman CISO smiling

By now you’ve heard about the new cybersecurity rules from the U.S. Securities and Exchange Commission (SEC) requiring public companies to report material cybersecurity incidents and disclose critical information related to cybersecurity risk management, expertise, and governance. Companies will be required to disclose risks in their annual reports beginning on December 15, 2023.

These groundbreaking developments thrust the CISO into a more visible role within the organization, responsible for ensuring the accurate, relevant, and timely reporting of the organization’s cybersecurity posture and governance.

While this is a great opportunity for CISOs to cement their critical role in the business, they may have real questions. Where do I start? What’s our strategy? What am I responsible for? What do investors want? Who should I meet with? What are some examples of good disclosure?

Here are five things every CISO should do now to get started.

1. Convene a meeting with senior business leaders to discuss your disclosure strategy

Now is the time to meet with senior representatives of your company to raise important questions and concerns that help formalize how your organization provides assurance to investors—and the steps your organization is taking to implement a strong cybersecurity program.

Here are a few important questions to ask the team:

  • What is the responsibility of the CISO in cybersecurity risk and incident disclosure? How should the CISO work collaboratively with other parts of the organization – General Counsel, CFO, Investor Relations, Corporate Secretary, etc.?
  • What do investors expect to understand about cybersecurity from our company? What are the “reasonable” investor’s expectations?
  • Where do we currently communicate cyber risk to investors and shareholders? Do we currently include cybersecurity information in our annual filings, ESG reports, or Sustainability reports? Is this information part of shareholder decks or annual earnings presentations?
  • What’s our broader communication strategy around critical, non-financial risks like cybersecurity? Do we have a broader message explaining our governance approach to risks? How does cyber fit in?
  • Should we consider a standalone cybersecurity report to investors and shareholders? For example, Equifax publishes an Annual Security Report that communicates specific initiatives about cybersecurity that is approved by the CEO and board. Does this model make sense for our organization in the future?
  • Who makes the final determination about an incident disclosure? Who is in the room to discuss? What is the role of the CISO in this discussion?

Be sure to include business leaders like the General Counsel, CFO, Investor Relations, Corporate Secretary, and others in this discussion. The CISO can help facilitate these conversations, setting the foundation for the formalization of processes and procedures that allow for a seamless transition into more rigorous cybersecurity reporting. However, the CISO may not be directly responsible for some of these determinations – for example, final determinations about incident materiality are typically made by others.

CISOs Guide to Cyber Risk Disclosure - SEC

This guide will help cybersecurity leaders understand the SEC regulation and get started on a journey to satisfying the requirements, meeting investor expectations, and creating a cybersecurity program that will stand the test of time.

2. Document your organization's approach to cyber risk assessment, identification, and management

The SEC requires organizations to “describe the company processes for assessment, identification, and management of material risks from cybersecurity threats.

CISOs should start to compile this information through document collection, discussions, and interviews with their own cybersecurity teams as well as senior leaders. Many organizations do not have this information at their fingertips, so consider creating a cross-company team to help you assemble the information.

A list of items relevant to investors may include:

  • The organization’s overall cybersecurity strategy, including approach to third party risk management
  • The organization’s use of frameworks to assess its risk (ex: NIST cybersecurity framework)
  • Overall management organizational structure (e.g. organizational chart, roles/responsibilities, reporting structures, qualification and background of key leaders and management)
  • Overall board of directors oversight (board committee charters, expertise of board members in cybersecurity issues, frequency of interaction with management, metrics used to evaluate effectiveness, use of third party advisor experts, etc.)
  • Key policy and technical controls used to manage risk from threats
  • Independent third party security evaluations, including security ratings
  • Measurements and metrics to determine effectiveness of the cybersecurity program, including industry benchmarks
  • Incident management procedures, including frequency of tabletop exercises and executive-level involvement
  • Cyber insurance coverage
  • Approach used by the organization to understand financial risk and estimate cyber risk and incident impact
  • A “Materiality Methodology” utilized by the organization to provide insight and assurance to investors about how the company arrives at its materiality determination in the cybersecurity context.

Once you’ve assembled all of this information, the organization can begin to understand its approach and discuss what to include in its public disclosures. CISOs should identify any shortcomings in your organization’s documentation or approach to any of these issues – you will probably be asked to address them at a future date.

3. Review cybersecurity disclosures to understand how other companies communicate to investors

Don’t just look at your own company’s prior risk disclosures for examples of what you should do. Study your peers’ approach to cybersecurity reporting to understand how they are communicating information about their cybersecurity programs to the marketplace. CISOs should seek to be authoritative experts on how their peers are communicating information about cyber risk and leverage this information to not only improve their own efforts, but advise company executives about best practices in risk communications.

For example, how do they communicate cyber risk to the marketplace? Is it solely through a 10K report, or do they also use other reports (ex: Sustainability, ESG reports) to communicate cyber risk? What types of data do they share? For example, do they include benchmarking data?

You may be surprised by what you learn – and you may decide to adopt something new for your own company!

4. Understand how investors evaluate your company’s cybersecurity posture

To best report on the company’s cyber risk, CISOs need to know how investors think about cyber risk and how it may affect their investment in the company. Investors are deeply concerned about cyber risks and are increasingly scrutinizing what public companies are doing to mitigate cyber risk.

Many investors are turning to quantitative, objective data sets to better understand a company’s cybersecurity posture. Here are a few examples:

  • Glass Lewis is a major proxy advisory firm that advises global institutional investors about how to understand and assess cyber risk. Glass Lewis now leverages externally observable cybersecurity analytics provided by Bitsight in their proxy reports, providing objective and trusted data to help investors make smart decisions about the companies that they invest in.
  • The Council of Institutional Investors (CII) — whose members represent $40 trillion in combined assets — published a white paper on cyber risks and investors that highlights the “Five Investor Questions for Portfolio Company Boards.” This whitepaper provides a critical understanding of the essential cybersecurity program elements that investors are looking to understand, including board oversight of cybersecurity, approval of cybersecurity strategy, and more. The CII encourages investors to evaluate cybersecurity metrics and benchmarking data to understand companies' cybersecurity posture.
  • Nomura describes their approach to cybersecurity and investments in a whitepaper titled, “Why Cybersecurity is the Biggest Hidden ESG Risk.” Nomura integrates automated measurements of cybersecurity hygiene data into a Credit ESG Scoring model as a “Governance” factor for corporate debt investment strategies as it reflects a company’s overall governance structure. According to Nomura, “Good cybersecurity hygiene indicates good corporate governance, and a more attractive corporate debt investment from the perspective of risk-reduction and high quality management.”

The trend is clear. Investors want more information about companies’ cybersecurity programs, and they are increasingly leveraging quantitative, objective data sets like Bitsight’s cybersecurity analytics to evaluate a company’s efforts. The CISO is responsible for understanding how their organization is being evaluated and ensuring that they are addressing those issues effectively.

5. Review your own benchmarks and identify areas of improvement

CISOs should not only have an objective understanding of their company’s cybersecurity posture but also how that posture relates to that of their peers. Investors know that performance norms vary across industries, sectors, and competitive groups; that’s why it is critical to clearly communicate how your company performs both absolutely and relative to industry benchmarks.

Benchmarking can help with communicating the efficacy of your cybersecurity program

Many companies find that publicly disclosing independent benchmarking data is a highly effective way of communicating cybersecurity performance to shareholders and the broader marketplace. This helps improve shareholder confidence and trust in their investment decisions. Some examples of disclosing benchmarking data include:

  • Equifax includes cybersecurity performance benchmarks in its Annual Security Report. Equifax focuses on its performance compared to peers in the Finance and Technology sectors. Equifax notes that its security capabilities “ranked in the top 1% of Technology companies and top 3% of Financial Services companies analyzed.”
  • Darling Ingredients leverages cybersecurity performance benchmarks in its Annual ESG Report, describing its cyber program as “being in the top 10% of the Energy/Resource Industry.”
  • Schneider Electric includes cybersecurity performance benchmarks in its Annual Sustainability Report, describing its program as being ranked “in the Top 25% in external ratings for Cybersecurity performance.” Other companies find that disclosing their individual security performance rating meets investor requirements. For example, DHL includes its own cybersecurity performance rating in their Annual Earnings Results presentation.

Shareholders and investors value meaningful data that helps them truly understand the risk of an organization. And organizations trust Bitsight’s data for independent benchmarking and disclosure because its analytics are strongly correlated to cybersecurity incidents. In a recent independent study by the Marsh McLennan Cyber Risk Analytics Center, a total of 14 Bitsight analytics—including the Bitsight Security Rating—were found to be strongly indicative of incident likelihood. Bitsight is still the only security ratings provider with multiple, independent third-party studies proving that its analytics have statistically significant correlation to critical outcomes, including cybersecurity incidents, data breaches, and company stock performance.