Respondents highlight the need for appointing and developing more board-level cybersecurity expertise, while some are concerned that disclosure regulations unintentionally risk helping criminals alongside improving investor transparency.
By Joe Fay
U.S. Securities and Exchange Commission (SEC) proposals to boost cybersecurity reporting requirements for publicly traded firms have not resonated with (ISC)² members in a survey, with over half unaware of the proposals and a fifth suggesting they could benefit threat actors inadvertently through providing investors with enhanced disclosure.
In 2022, the SEC proposed new rules on cybersecurity that impact publicly traded companies, with standards for disclosures around cyber security risk management, strategy, and governance. It also proposed new disclosure requirements for “material cybersecurity incidents”, and for board directors’ “cyber security expertise, if any.”
However, an (ISC)² Pulse Survey conducted shortly after the announcement in March 2023 that the SEC had reopened the comment period showed that just over half of respondents overall were unaware of the proposals for publicly traded companies. Amongst the fifth of respondents who worked for U.S. publicly traded companies, 60% were aware of the proposals. While the overwhelming majority of those who gave their thoughts on a proposed four-day reporting requirement for material breaches were supportive of the idea, some suggested the period was too short for an adequate investigation. This response suggests greater understanding and awareness of how the process works in practice is needed. It also highlights the potential education benefits of more interdepartmental communication between cybersecurity and financial compliance teams.
Respondents overall were generally receptive to the idea that publicly traded companies should make disclosures about their cybersecurity policies and procedures. However, roughly one in five expressed concern that such information would be of most use to potential attackers.
“Knowing the policies and procedures, attacks can be more easily crafted to bypass the known defenses,” one respondent suggested. “It tells an attacker how far they can probe a system before the alarm bells ring that an intruder is present.”
Responsibilities Are Not The Issue
While spelling out directors’ responsibilities was generally seen as a good thing, some questioned the degree of impact it would have in today’s business environment. Others raised whether there were sufficient board members, or board member candidates with adequate cyber knowledge and awareness. It was also suggested that serving on boards could expose genuine experts to a new degree of liability. Alongside their comments, 82% of respondents believe companies should seek out board level cybersecurity expertise with 68% willing to take on such a role. Amongst workers in traded companies, 87% agreed with the proposals.
As for what would make someone a suitable candidate, there was a wide range of opinions with almost 30% suggesting a CISSP certification would be a good start. Overall, 60% of respondents thought some or all of the SEC's published proposals on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure were necessary, a figure that crept up to 61% among workers in publicly traded companies.
This was despite the potential to increase the burden on cybersecurity professionals in public firms. Just under half (48%) of cybersecurity practitioners in public entities believed the proposals would add to their daily workload while 28% said they wouldn’t, while a similar amount was unsure.
Dealing with Incident Disclosure
Curiously, those not working in public companies see the SEC proposals as even more likely to increase resource requirements, with 69 percent of respondents saying it would increase workloads overall. Since often public company compliance requirements trickle down into the private sector as best practices, this may be an indicator of cyber professionals anticipating future impact within their own organizations.
Almost two thirds of respondents worked for companies that already had incident disclosure responsibilities. Three quarters of respondents overall thought that investors were entitled to the information the SEC is proposing.
While there is still debate over the proposed regulations, broadly they are seen as beneficial. The SEC is highly likely to implement them in the coming weeks. The agency has also proposed a new set of cybersecurity requirements for “market entities” such as broker-dealers, clearing agencies, and national securities exchanges, amongst others. That coincided with a “reopened” comment period for proposals for similar proposals for registered investment advisers and funds.