The SEC’s long-awaited cybersecurity rules for publicly traded companies have had, as expected, a huge impact in the United States. But the effect won’t stop at U.S. borders, and as FTI Consulting’s Jordan Rae Kelly and Adriana Villasenor explain, foreign companies listed on American stock exchanges should take note.
As a result of new cybersecurity rules adopted by the SEC, any public company doing business in the United States will need to assess its cybersecurity stance to make sure it is in compliance. Depending on their cyber maturity, some may already be headed in that direction and simply need to refine their adherence to the previous 2018 rules.
Others may need to make significant adjustments or changes to their cybersecurity strategy. The new rules could have a profound impact on risk management programs through material incident reporting and board oversight and accountability requirements.
For companies headquartered abroad but operating in the United States, especially those with a less mature cyber stance in their home countries, the amendments could be a real game-changer for two reasons: 1) they present an opportunity for the company to strengthen its cybersecurity infrastructure at home by aligning with U.S. standards, commonly seen as the highest in the world; and 2) this could be a market differentiator for the organization.
This is where the new rules have international reach. Companies that otherwise are not required to prioritize cybersecurity, often due to a lack of existing regulation where they are headquartered, now face the demand of complying with the SEC’s rules.
The same concept applies to U.S.-based companies with international operations in less cyber mature markets. These companies will also be required to disclose incidents with the potential for a material impact, even if the incident occurs outside of the U.S.
In both instances, the location where the incident took place is irrelevant if the company is listed in the U.S. It might be cliché, but it is nevertheless true in this situation — companies are only as strong as their weakest link. This means global companies will need to develop comprehensive cybersecurity programs that have oversight across the entire enterprise and are not siloed by country.
While this may sound like a tall task, companies that proactively decide to bolster their cybersecurity infrastructure will be better prepared to comply with the SEC rules and will also stand out among their peers, especially in regions where cybersecurity is not prioritized. By demonstrating compliance and an active desire to protect customer and organization information, companies can be viewed more favorably by stakeholders, investors and customers, adding market value.
The intent of the rules
The new rules are significant, and they require companies to concentrate efforts in three primary areas:
Increased transparency for investors
Organizations must report material cybersecurity incidents and data breaches within four days. They will also need to provide information and updates regarding previously disclosed incidents on a quarterly basis.
Enterprise risk management gains importance
Organizations must adopt controls to mitigate cyber risk. The required key controls include security risk assessments, access controls, continuous monitoring, detection and response, vulnerability management and vendor risk management.
Boards that are fit for the future
Organizations are required to disclose summary descriptions of their cyber risk and how much oversight the board and management have on cybersecurity risk. This includes descriptions of policies and procedures for the identification and management of cyber risks.
Regulators, governments and investors are looking closely at an organization’s cybersecurity governance and, in some cases, demanding oversight at the board level. In today’s digitized business environment, the existential threat of an incident means cybersecurity must be proactively managed, factored into all decisions and treated like any other business risk.
Get ready now
Integrating cybersecurity into corporate governance is the key to compliance and provides greater flexibility as new rules come down the pike. The starting place for integration for any organization lies in these critical areas:
Training and communication
Organizations will need to update how they prepare and process disclosure forms to include the relevant information related to cybersecurity governance, risk management and data breaches. Is the board up to speed on current cybersecurity threats and emerging trends? Is it working in concert with other stakeholders on priorities, security initiatives and investments? Those operating in markets without robust cybersecurity regulation often do not properly manage cybersecurity risks because they are unaware they exist, until they experience a cyber attack directly. Do boards have knowledge regarding how cybersecurity programs at their subsidiaries are performing?
Cybersecurity program assessment
An organization must have a thorough understanding of its cybersecurity stance — across all company locations — prior to implementing or changing processes. Are security policies current? How are they managed, implemented and enforced? Penetration testing can go a long way: Knowing where your critical assets are at risk and where your attackers might come from — whether inside or outside the organization — is key to strengthening your infrastructure.
No matter where an organization is headquartered, the SEC rules will have a major impact on all publicly traded companies in the United States. Seizing the moment now to factor cybersecurity into corporate governance will better position companies to walk in the SEC’s light.
Kyung Kim contributed to this report.