By Michael Brown, field CISO for financial services, Fortinet

The U.S. Securities and Exchange Commission (SEC)’s proposed new rules regarding cybersecurity transparency and accountability for all public financial services institutions could have a widespread impact on cybersecurity culture in general. By focusing on board-level cybersecurity oversight and reporting, the SEC aims to bring cybersecurity to the forefront of the financial sector’s investments, discussions and planning. Publicly disclosing executive management’s role in cybersecurity risk assessment and implementation will drive training and policy updates across public entities – starting with the most targeted industry, financial services. 

Cybersecurity transparency at the board level 

For all publicly traded companies, the SEC proposal would require total cybersecurity transparency and accountability from all corporate leadership, including the boards of directors. Businesses would be required to disclose severe cybersecurity incidents on their Form 8-K. Additionally, they would have to outline the company’s cybersecurity risk management policies and procedures, as well as how management contributes to their execution. Any board member’s cybersecurity experience would also be disclosed, along with details of the procedure the company’s board of directors uses to monitor cybersecurity risk.

This proposal could significantly contribute to the long-needed development of cybersecurity risk and strategy being discussed at the board level. Additionally, it could increase business investment on cybersecurity and fuel demand for board-level cybersecurity expertise. It also will highlight how crucial it is to involve CISOs in these board-level discussions and decisions.

More detail, faster response 

On March 23, the SEC put forth new potential regulations to enhance and standardize the disclosures made by publicly traded companies that must adhere to the Securities Exchange Act of 1934 reporting requirements. Cybersecurity risk strategy, governance, management and incident reporting are all mentioned in these draft standards. The board of directors would be responsible for managing cybersecurity risk and reporting significant cybersecurity occurrences and disclosing cybersecurity policies and procedures would happen on a regular basis.

After the proposed SEC regulations take effect, financial institutions would have four business days to disclose any significant cybersecurity incidents they’ve discovered. As part of the disclosure procedure, changes will need to be made to the Form 8-K report, which corporations are required to file with the SEC in order to notify shareholders of major incidents. The new proposal also calls for the disclosure of previously unreported and isolated cybersecurity events that, when combined, have grave repercussions.

Forced transparency

The proposal’s section on incident reporting pales in comparison to the new recommendations for risk management, strategy and governance disclosure. With this part of the proposal, the cybersecurity risk management policies and procedures of publicly held companies will be made transparent. Additionally, businesses would be required to report how the board of directors manages cybersecurity risk.

Companies will also have to be transparent about how executive management assesses cybersecurity risk and implements the company’s policies and procedures. This requirement is comparable to publishing the “report card” of an organization online for public scrutiny and feedback.

Under the new rules, companies would be required to report the procedures and policies they use to monitor and control the risk of cyberattacks. If there aren’t any, the SEC will take notice, and it might have serious repercussions – like fines and penalties for non-compliance. The inclusion of cybersecurity in financial planning, capital allocation and corporate strategy will also need to be disclosed.

As if that weren’t enough, under the new rules, any board members who have cybersecurity experience would be required to disclose it in the annual report and in some proxy statements. Both internal and external cybersecurity subject matter experts (SMEs) should be on the board. Specialist knowledge should be provided by external SMEs, while institutional knowledge should be provided by internal SMEs.  

Leadership must take the lead

People play the largest role in making cybersecurity’s defenses vulnerable. The only way to deal with this fact is to make your team an essential component of the solution rather than the problem. Typically, the board of directors sits at the top of the organizational hierarchy; it is here that the new regulations need to be implemented. This must include providing staff with up-to-date technology and regular training.

To be clear, day-to-day cybersecurity operations aren’t supposed to be on the board’s plate, but cybersecurity is one of the most significant fiduciary duties that directors and officers now have. The board must ensure adherence to cybersecurity policies and procedures. To improve decision-making, leaders must foster a culture of risk awareness throughout the organization.

Toward a safer financial future for all

The financial services industry is vital to modern society. It needs to be strengthened and safeguarded right away, not at some vague point in the future. Consequently, new proposals and laws are emerging. In order to make the digital world safer for both investors and consumers, financial services institutions should match their rules and practices with these evolving developments. While these proposals are still just that – proposals – they signify a sea change is coming. 

About the author:

Michael Brown, field CISO for financial services at Fortinet, is a global security evangelist and advisor, helping financial services firms implement digital transformation while enhancing security and resilience. He specializes in cybersecurity regulations, ESG impact, SD-WAN, SD-Branch, Zero Trust, low-latency electronic trading security, SASE, and multi-cloud solutions.