Back in November 2021 when releasing it's Bridging the Gap: Integrating GRC and Cyber Risk report (available on the SAP Trust Centre portal), leading provider of research and analysis on the global market for risk technology Chartis made a prediction that proved to be quite accurate: “Chartis believes that a new approach to cyber risk management is emerging – one that integrates GRC practices, procedures, and technology.” They based this on a finding that was shared by most of the GRC community, concluding that “the traditional siloed approach to cyber risks and procedures is now proving ineffective.” This was not the first incursion of cybersecurity within the more traditional Enterprise Risk & Compliance area of Governance, Risk, and Compliance (GRC). Already in March 2020, the National Institute of Standards and Technology (NIST) released its publication on Integrating Cybersecurity and Enterprise Risk Management (ERM). The intent highlighted there was to help organizations better “identify, assess, and manage their cybersecurity risks in their broader mission and business objectives.” To do so, the report recommended that cybersecurity risks be rolled-up to the wider Enterprise Risk Management program and be included in the overall decision-making process. To do so, NIST suggests using a risk communication channel that is already in use in all organizations: the risk register. Let’s also not forget that selected industries such as Public Sector, Financial Services, or Utilities for instance also already had cyber-related mandates in place for quite some time and we're required to report on relevant cyber risks and associated mitigating actions – especially if identified threats could prevent the delivery of services. Recognizing the importance of cybersecurity as an emerging risk especially because of the increased threat level of cyberattacks and their potential impact on businesses–and not just for the three industries mentioned above, but also estimating that cybersecurity incidents are under-reported and, when they are, not in a timely manner, the Securities and Exchange Commission (SEC) had already started raising awareness on this topic and setting expectations. First in 2011, with its guidance on disclosure obligations relating to cybersecurity risks and cyber incidents, and in 2018 with its interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Fast forward to 2022, and these findings and recommendations are about to be included in a new regulatory framework. Indeed. In March 2022, the SEC released proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. It also summarized them in a 2-page Fact Sheet. Under these proposed amendments, companies would be required to periodically provide information on their policies and procedures to identify and manage cybersecurity risks but also on Board and Management’s expertise in this area. In addition, companies would be required to report any new material cybersecurity incidents and provide updates on existing events. As a result, integrating cybersecurity and Risk & Compliance soon won’t simply be about adopting best practices, but truly about being compliant. What do these proposed changes really mean for listed organizations and what would be required in terms of governance process and disclosure? There are 3 major areas of focus for this future legislation we think are worth highlighting: Reporting of material cybersecurity incidents The intent here is to require that organizations disclose information about all incidents within four days of it being “material.” The suggested definition for materiality thresholds is that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix of information made available.” As a result, materiality is really left to the appreciation of the organization itself and doesn’t have a simple quantitative figure associated with it. And, since the overall incident impact can increase over time, there is a provision for disclosure of incidents that may be immaterial on their own but are material in aggregate. For new incidents, disclosure would include information about the incident, when it was discovered, what is the currently identified affected data scope, what are the consequences for the company’s operations or financial condition, whether it’s still ongoing, and what has been done (or is being done) to mitigate it. Thankfully, there is a comment stating that technical details about the response are not expected. Not only is this probably of little interest to many, but it could hinder the efficiency of the response to the incident. For existing events, the regulation would also require of organizations to provide regular updates on previously disclosed cybersecurity incidents. Besides any new discovery, changes in policies and procedures resulting from the incident should also be communicated. Our take on this requirement: Cyber incident disclosure is, of course, at the heart of the proposed rules, and the four-day timeline set can be a challenge, especially when combined with the aggregation concept. Incidents might still be ongoing, and the complete scope is not revealed, yet organizations will already be required to provide a mitigation plan. The good news is that this plan can be adjusted as the incident unfolds. Even if regular updates will need to be provided. Companies will also need to strike a delicate balance: sometimes, they won’t be able to transparently communicate about the incident if it has ramifications and is part of a wider investigation by authorities. But stakeholders will hold companies accountable if there is no disclosure at all and if it subsequently appears that the effects on the company are significant. As a result, the experts will need to decide what can be publicly shared without 1. Jeopardizing an investigation and 2. Exposing the organization even further to other attacks. Disclosure on cybersecurity risk management policies and procedures  Here, the purpose is to provide greater transparency by describing the company’s cybersecurity risk management policies and procedures. For instance, information about the cyber risk assessment program and response strategies (including prevention, detection, and mitigation of threats), but also the efforts undertaken to monitor cyber risk within third parties as well. In the age of digitalization, the SEC also recognizes the importance of data-driven business models and the overall operating model of the organization. As a result, it also will require companies to provide information about the impact of cyber risks on their financial planning and future performance. Our take on this: Here as well, it will be a trade-off situation. The company will need to disclose its policies and procedures, but it will need to ensure that this doesn’t increase exposure to cyber criminals. By detailing what patterns it's tracking, what tools it’s using, or what technical controls are in place, etc. the company might provide more information than needed. Much like in fraud detection and deterrence procedures, the organization will need to communicate but ensure that it doesn’t enable cybercriminals to leverage this information to their advantage. This can be achieved by involving the second and third lines, for instance. Disclosure on Board of Directors’ oversight role  The role of the Board of Directors is ultimate to protect the interests of stakeholders and they, therefore, have multiple tasks that are incumbent to achieve this. One of them, as per SEC Commissioner Luis A. Aguilar in his 2015 address to the Annual Boardroom Summit, is to “give proper attention to a company’s perceived risks to ensure sufficient preparedness.” Perfectly in line with this guideline, the proposed amendments also address this facet with a specific provision on the company’s disclosure about the role of the Board in the oversight of cybersecurity risks, but also its on relevant expertise of its member in assessing these matters, for instance, their experience, knowledge or skills. Further details to disclose include how these risks are brought to the Board’s attention, whether there is a separate risk committee in charge of cyber topics, etc. Our take on this: This is not something entirely new. Already when Audit & Risk Committees were set up, organizations were requested to detail the expertise of the members on these matters. This just takes it to a more granular level with a focus on one risk area. If your Board of Directors or Audit & Risk Committees don’t yet include some members with an understanding of cyber, then you might want to rapidly add more competencies. Not just to respect this requirement, but because this is a crucial part of the business operations–regardless of the industry or company size. What steps could a company adopt to prepare for the upcoming regulatory updates and be ready on time? While translating these proposed amendments into constraining legislation could take a few months, this is definitely the way history is going, so getting prepared early might be the best course of action. Foremost, companies shouldn’t “wait and see” on this one. We believe that this is going to be real for organizations, so there is no real incentive to wait. Here are a few key first steps:

1. Align the functions that will play a key role in illustrating compliance with these proposed rules. Alignment with Finance (who will write the disclosure and are unlikely to be cyber experts) and the second and third lines will be paramount.
2. Assess how close you are to complying with these proposed rules. A gap analysis should work well. Even if your organization objects to some proposals (the four-day disclosure of a material incident, for example), it is still critical to determine how you would comply, if needed.
3. Speaking of materiality, we strongly advise this is something that is absolutely critical to assess as best you can. While you are at it, also try to aggregate prior incidents as well.

Second, begin discussing this with your external auditors. Ensure that this conversation is being driven by you and how you plan to comply. If you don’t drive it, they will, and through their best efforts, they may impose things that may be unnecessary if you have a program in place that achieves the objectives already. Last, while you will probably provide updates throughout, once you have a solid program in place, or at least a plan in place, carve out time with the Board to preview your approach, the existing gaps, etc. Given the stake the board has in this as well, make sure you are aligned closely on this topic. What else could companies expect in the future, i.e.: is this a sustained trend or an isolated regulatory update that only applies to US listed companies? Chartis mentioned in introduction made a prediction that proved true, so allow us to make one of our own. Based on history of previous US regulations relating to financial governance and, more specifically, the Sarbanes-Oxley Act of 2002, it was subsequently adopted by many countries around the world. Of course, with adaptation to local specifics, but mostly keeping the same focus on financial governance requirements. This led to introducing C-SOX in Canada, Loi sur la Sécurité Financière in France, King Report on Corporate Governance in South Africa, or J-SOX and K-SOX respectively in Japan and Korea for instance, but also many more. As a result, we think it’s definitely not far-fetched to imagine that, should these proposed amendments be adopted for U.S. listed companies, more jurisdictions will follow suit with similar requirements shortly after. Starting most likely with the affects of cyber incidents on Internal Control over Financial Reporting (ICFR) requirements. Indeed, access risk management is a key component of Section 404 of SOX, but it is also a key cyber risk. So why not get ready today?