Two separate announcements from the U.S. Securities and Exchange Commission and the U.S. State Department demonstrate that the government is taking a more active role in cybersecurity oversight and enforcement.
SEC Proposes new cybersecurity rules for public companies
The Securities and Exchange Commission has proposed amendments to its rules to enhance and standardize cybersecurity disclosures for public companies (via National Law Review).
This announcement follows proposed SEC rules for cybersecurity risk management aimed at investment advisers, investment companies and business development companies (funds), announced back in February.
“The proposed mandates are designed to...emphasize the increasing importance of cybersecurity as a dimension of corporate governance,” according to the National Law Review.
The aim is to provide “consistent, comparable, and decision-useful” information to investors, the SEC said in a statement. “[The amendments] are designed to better inform investors about material cybersecurity risks and incidents on a timely basis and…assessment, governance, and management of those risks,” the statement continued.
The proposed amendments would require, among other things:
Current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.
Periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
--SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, March 9, 2022
Reporting of cybersecurity incidents on Form 8-K would be required, due to a growing concern that material cybersecurity incidents are underreported and that existing reporting may not be sufficiently timely, the SEC said (PDF) in a 129-page document titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.”
The agency would require disclosure of material cybersecurity incidents on Form 8-K within four business days after determining a material cybersecurity incident.
Another proposed item would require organizations to disclose policies and procedures to identify and manage cybersecurity risks and threats, including operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, and violation of privacy laws.
State Department establishes of Bureau of Cyberspace and Digital Policy
The State Department is also expanding its role in the cybsersecurity space, launching the Bureau of Cyberspace and Digital Policy (CDP) on April 4, 2022.
The CDP bureau includes three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom.
As part of Secretary Antony Blinken’s modernization agenda, the CDP bureau will “address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy,” according to the the State Department announcement.
“The Bureau of Cyberspace and Digital Policy leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace and advance policies that protect the integrity and security of the infrastructure of the Internet, serve U.S. interests, promote competitiveness, and uphold democratic values,” the State Department said.
Jennifer Bachus, a career member of the Senior Foreign Service, is serving as Principal Deputy Assistant Secretary for the CDP bureau.
The Trump administration had proposed a unified bureau to streamline the diplomatic structure back in 2018. Under that plan, the Office of the Cybersecurity Coordinator and the Bureau of Economic Affairs’ Office of International Communications and Information Policy would have been unified to form the proposed Bureau for Cyberspace and the Digital Economy.
This effectively reverses that proposal.
- Log4j Attacks Spike, CISA Says Vulnerability Is ‘One of Most Serious’ to Date
- CISA Advisory on Conti Ransomware Warns of Increased Attacks [Is Code Signing the Answer?]
- Encryption Is Critical in New Executive Order to Improve National Cybersecurity
- Encryption Backdoors and Federal Cybersecurity Posture