An In-Depth Look at the SEC’s Risk Management, Strategy and Governance Disclosures

Emily Garnett, Jack Hobaugh Jr., Philip McDermott
Brownstein Hyatt Farber Schreck
Contact
LinkedIn
Facebook
X
Send
Embed

Brownstein Hyatt Farber Schreck

On Aug. 2, we distributed an alert about the U.S. Securities and Exchange Commission’s (SEC) July 26, 2023, adoption of the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule. Our focus in that alert was on the new “Material Cybersecurity Incident” standard to determine the required reporting on cybersecurity incidents. Also in that alert, we briefly mentioned that the rule will require all registrants to provide new annual disclosures, whether a smaller reporting company or not, beginning with annual reports for the fiscal year ending on or after Dec. 15, 2023. We now provide more information on that required reporting.

This new reporting rule was promulgated because the SEC contends “that investors need information on registrants’ cybersecurity risk management and strategy.” Whether investors are qualified to assess risk frameworks, management, strategy or cybersecurity governance is debatable. Investors are likely more at home analyzing investment risks such as annual recurring revenue (ARR), cash flows, costs, margins, debt and maintaining projections for revenue and earnings. Such cybersecurity terms as data loss prevention, vulnerability scans, honey pots, API keys, common vulnerabilities and exposures, security information and event management—to name a few—are probably not in their daily thoughts, but they part of the cybersecurity professional’s vocabulary. Regardless, it is not debatable that privacy and cybersecurity have become distinguishing characteristics of company goodwill and branding. Although a company’s first reaction may be that such reporting is an overreach, a burden and gives too much information to the bad guys, it is also an opportunity to add to a company’s cybersecurity brand. Importantly, the SEC is not asking you to change how you manage your cybersecurity risk, only to report on it. The same cannot be said for other agencies like the Federal Trade Commission, but we leave that for another alert.

The SEC’s goal is “to inform investors, not to influence whether and how companies manage their cybersecurity risk.” To that end, the clock is ticking and companies should start the process of evaluating their cybersecurity program and start thinking about how they will report it on Item 106: “As adopted, … Regulation S-K, Item 106(b)(1) requires a description of ‘the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.’”

Specifically:

(b) Risk management and strategy. (1) Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:

  • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
  • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

(2) Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

Although there are rumors that Congress may overturn the SEC’s Rule using the Congressional Review Act, to date, no congressperson has confirmed those rumors. Given that, it is prudent for registered companies to move forward with a compliance and reporting program.

Keeping in mind that the disclosed information will be publicly available to not only investors but also hackers that would cherish a roadmap on how to attack your systems and data, there is a fine line to walk here. Cybersecurity counsel, in collaboration with your chief information security officer and securities counsel, can help in determining that line or in the event you need to choose a cybersecurity risk management framework. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Brownstein Hyatt Farber Schreck | Attorney Advertising

Written by:

Brownstein Hyatt Farber Schreck
Brownstein Hyatt Farber Schreck
Contact
more
less

Brownstein Hyatt Farber Schreck on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide