The Demand for Cybersecurity Transparency (While Critical) Is Creating Regulatory Whiplash
Over the last two plus years since the pandemic first hit the US in January 2020, amidst a stunning surge in global and highly disruptive cyber-attacks by threat actors, (whether criminal gangs or nation-state actors), both public and private sectors have been calling for more intelligence, more transparency, access to effective solutions and more guidance from the Biden Administration. A 2021 op-ed in Security Magazine notes that “The government needs to be transparent about cyber threats early on so that U.S. businesses can get a head start in developing the solutions that combat these threats.” The op-ed further references the need to “hold businesses accountable by enforcing compliance”.
In this vein, the hammer of cyber breach reporting requirements and other US regulatory disclosure requirements by, for example, CISA or the US Securities and Exchange Commission (SEC), have loomed — but with no real teeth. The objective of such breach reporting and / or cyber-related disclosure requirements is to compel action on the part of the organizations who operate e.g. critical infrastructure or publicly trade, to start reporting information that will streamline data flow with relevant reporting guidelines, and help DHS agencies like CISA and the US Secret Service, and partner organization, the FBI, to combat cybercrime. Further, disclosure requirements would compel publicly traded companies to provide more transparency to the investment community regarding breaches and important cyber-risk mitigation strategies so that investors can make more informed investment decisions. The information gleaned through these processes would therefore, ostensibly, enable access to more actionable and real-time information for all interested stakeholders, whether cybersecurity governors over our nation’s critical infrastructure, or investors in our nation’s companies. Similarly, the idea goes, these agencies would then report out on inbound information received through compulsory reporting and disclosures to the benefit of organizations who may also be in the crosshairs or periphery of similar attacks, and investors would have a more level playing field by which to assess financial performance of sectors and sector players. A wonderful, symbiotic, information feast — if we can get there.
So far in March 2022, there have been two significant developments in this space:
Mandatory Breach Reporting Requirements
On March 1st , US the Senate passed proposed legislation entitled ‘Strengthening American Cybersecurity Act of 2022’. This bill was co-sponsored by Democratic Senator Gary Peters (D-Mich.) and Republican Sen. Rob Portman (R-Ohio). The proposed legislation encompasses three bills, the largest of which is focused on line-items for the Federal Information Security Modernization Act of 2022, but there are key requirements which call for mandatory reporting of ‘substantial’ cybersecurity incidents to the Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours and reporting of ransom payments within 24 hours. This legislation impacts both public and private sector ‘covered entities’, which are those operating in a critical infrastructure sector. Both Senators Peters and Portman attempted to pass similar legislation via the 2022 National Defense Authorization Act (’22 NDAA), but the version of the NDAA that made it into law omitted ‘mandatory’ in favor of ‘voluntary’ reporting requirements. It is expected that the House will support similar language, as they were also supportive of the mandatory reporting language introduced in the same version of the ’22 NDAA originally championed by Peters and Portman.
SEC Proposed Cybersecurity Disclosure Rule
Just eight days later on March 9th, Gary Gensler, SEC Chairperson and his staff held an open, public meeting to vote on a proposed new rule entitled ‘33–11038 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure’. The proposed rule-making for publicly traded companies passed into the comment period with one dissenter, Commissioner Hester M. Peirce, who took issue with what she called the Commission’s ‘micromanagement’ of “composition and functioning of both the boards of directors and management of public companies”. Additionally, Commissioner Peirce raised concern with the proposed requirement that companies disclose policies and procedures related to the identification and management of cyber-related risk. From her vantage point, this poses two key challenges in that “the proposed rules pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach” and “the proposal’s detailed disclosure obligations on these topics will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies”.
The proposed rule includes the following amendments to 2011 interpretive guidance by the SEC’s Division of Corporation Finance regarding cybersecurity risk and incidents, namely:
The SEC proposes to (full text from an SEC Fact Sheet abbreviated) :
· amend Form 8-K to reflect disclosure about a material cybersecurity incident within four business days;
· add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and when a series of previously undisclosed individually immaterial cybersecurity incidents have become material.
The proposed rule includes new language related to ‘Risk Management, Strategy, and Governance Disclosure’ as follows:
· for Regulation S-K and Item 16J of Form 20-F, require a registrant to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats;
· require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures and strategies disclosure regarding board member cybersecurity expertise.
Against the backdrop of these latest regulatory developments, global organizations are consumed with sustainability transformation and building resilience as issues such as climate change, diversity, equity and inclusion (DE&I) and effective board oversight lead the ESG (environmental, social, governance) agenda. While cybersecurity doesn’t immediately pop out in the ESG acronym, experts point to a clear home for cybersecurity in both the ‘S’ and the ‘G’, and Laura Deaner, Chief Information Security Officer at Northwestern Mutual makes a case for cybersecurity spanning ‘E’ as well, noting that “Cyber risk now spans across all ESG considerations; it is directly related to financial risk as well as business position. As we have seen in 2020, it may spike following environmental or natural disasters or pandemics.”
If we believe that cybersecurity is and should be a strategic component of ESG (and this writer does), then ESG disclosures will be yet another source of compliance requirements for companies. So who regulates ESG? Investopedia defines ESG criteria as “a set of standards for a company’s operations that socially conscious investors use to screen potential investments.” Enter once again, the SEC.
2022 seems to be the year that regulation and disclosure requirements will hit cybersecurity with urgency, and not least of all because of the cyber-risk posed by the current war raging in Ukraine. Michael Moran, Chief Markets Officer and Chief Risk and Sustainability Officer of Microshare notes that “The SEC, unlike EU regulators, has broad jurisdiction not only over markets and brokers (via its Financial Industry Regulatory Authority arm), but also over the conduct of corporations, which must file annual reports with the commission. Regulators’ new focus is on ESG data. Claims of “greenness” aside, there is widespread recognition among ESG proponents and critics alike that the metrics being used to make judgments about the sustainability credentials of a company or investment vehicle are wildly inconsistent. As a result, there is a new focus on bringing some standardization to the metrics that companies disclose annually to the ESG ratings industry, which is currently completely unregulated since the disclosures themselves (except within the EU) are voluntary.”
To borrow one more point from Mr. Moran, he goes on to note that “…the U.S. House of Representatives passed an ESG disclosure bill in June 2021, and Brussels had continued its regulatory crusade, with the European Commission now working with various reporting bodies to develop mandatory ESG reporting for roughly 49,000 large companies operating in the EU or listed on its stock exchanges. The standards for this reporting will be published this year and likely take effect in 2023. If this rulemaking trajectory continues, it will supercharge ESG ratings as an important window for the public into the behavior of giant corporations.”
In March, 2022, in the span of roughly one week, US corporations have been presented with potentially two new sources of regulatory reporting and disclosure requirements which are acutely focused on cybersecurity breach reporting, and the management, oversight and mitigation strategies related to cybersecurity. And over in the world of ESG, there will likely be yet another new slate of disclosures and requirements making their way into law in 2022 and beyond. Herein lies the whiplash — where do we look first and what will take priority? A case in point, the Senate bill refers to mandatory reporting of ‘significant’ breaches experienced by a covered entity (an entity operating critical infrastructure) within 72 hours, while the newly proposed SEC cybersecurity disclosure requirements reference that a ‘material’ breach be reported within 4 days. What does it mean to be significant vs material and are three days better or four? Those inconsistencies need to be defined and deconflicted — why should two US agencies with roughly the same goals in mind (information transparency) and mostly the same interests (protect our companies, consumers and our infrastructure), subject corporations to different (and currently, vague) criteria?
Separately, does the SEC even realize that they may have competing priorities between their newly proposed rule-making and future ESG-related disclosures? Who at the SEC decides whether the cybersecurity requirements are complete?
Perhaps we look at two authorities on the matter of corporate governance and sustainability to see if there is any clarity. The Sustainability Accounting Standards Board (SASB) is the premier standards organization on sustainability under the Value Reporting Foundation. SASB notes on their website that they have helped “identify the subset of ESG issues most relevant to financial performance in each of 77 industries” with relevant sub-industries for each master category.
In reviewing SASB’s ESG reporting standards for Financials / Commercial Banks, the reporting metrics for sustainability pertaining to cybersecurity are centered on one chapter entitled Data Security, with metrics and topics focused on areas such as “(1) number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of account holders affected” and “description of approach to identifying and addressing data security risks.” The section refers the reader to ISO and NIST Standards, NYDFS requirements and even suggests reviewing the SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures from 2018. A separate review of SASB’s standards for reporting and disclosure requirements under the sector Infrastructure / Gas Utilities & Distributors has no mention of cybersecurity whatsoever. A review of SASB’s standards for reporting and disclosure requirements for Technology & Communications / Semiconductors has no mention of cybersecurity — whatsoever. Those two sectors were of interest given two highly publicized attacks against Colonial Pipeline and chip-maker Nvidia who found themselves under attack during the first week of Russian’s invasion into Ukraine.
Institutional Shareholder Services, or ISS, is a leader in corporate governance advisory services firm for publicly traded companies and institutional investors. ISS has produced their ISS ESG Governance Quality Score, the purpose of which is to help institutional investors monitor portfolio company governance. ISS uses a “data-driven scoring and screening solution” compiled from information disclosed publicly across a range of factors and metrics to drive this Quality Score. In 2021, ISS published updates to its methodology to address insights into data security risk. They noted that the “Governance QualityScore methodology will be enhanced to provide users with deep insights into the governance of information security risk through the introduction of eleven new factors across two new subcategories, Information Security Risk Management and Information Security Risk Oversight, within the Audit category.”
Based on those changes in the methodology, ISS introduced new factors in February, 2021:
Based on conversations with colleagues in the industry, the ISS Governance Quality Score functions as a guideline today, and enables for smart conversations between investors and e.g. Chief Risk Officers or Heads of Investor Relations during earnings season and investor roadshows. The methodology and evaluation mechanisms by which each question is scored are extremely high-level, and one in particular, “Is the company externally audited or certified by top information security standards?” makes loose reference to the fact that “Governance QualityScore will evaluate whether companies have been audited to FedRamp or SOC 2 or whether companies have ISO 27001, FISMA, or HITRUST certification in the relevant industry.” No mention here of NIST, NYDFS, pointing to yet another inconsistency in how various standards boards and investment solutions agencies evaluate the content, quality and detail related to disclosures and more specifically, disclosures related to cybersecurity.
There is no shortage of opportunity here to provide greater standardization, clarity and consistency in how the various regulatory bodies will approach cybersecurity mandates and disclosures. While organizations like SASB and ISS have tried to provide both frameworks for disclosure and scoring — one serving listed companies and the other in support of institutional investors and listed corporations, when coupled with new proposed regulation from the SEC and the USG via CISA, the end result appears to be greater confusion. As we march into 2022 with greater scrutiny on how organizations, and in particular those operating critical infrastructure are managing cyber-risk, we need a better process and potentially a governor of sorts to look across the burgeoning regulatory and disclosure landscape to ensure we aren’t setting up structures that confuse, punish and tax companies’ compliance programs, rather that we achieve those original goals of information transparency and insights for better investment decision-making.
 Virani, Rizwan. “The fight against cyber threats requires a public-private partnership. Here’s how to get it done”. SecurityMagazine.com. March 8, 2021.
 Moran, Michael. “Can Global Regulators Save the ESG Movement From Itself?”. ForeignPolicy.com, January 10, 2022.
 Gatlan, Sergiu. “NVIDIA data breach exposed credentials of over 71,000 employees”. BleepingComputer.com. March 3, 2022.
 https://www.issgovernance.com/file/products/qualityscore-techdoc.pdf, Overview, pg. 4
 Id. pg. 9, Summary of Updates
 Id. pg. 10.