You are using an outdated browser. Please upgrade your browser to improve your experience.

Our views 15 December 2023

SEC new cyber security expectations

5 min read

Cyber security has emerged as a key risk facing all organisations as data breaches and cyber-attacks become more common. Successful attacks pose a serious threat to an organisation’s ability to operate, their reputation and financial performance.

Investors should encourage organisations to implement modern and robust cyber security controls to reduce the risk of a cyberattack being successful and the associated impacts.

The Securities and Exchange Commission (SEC) has issued a new ruling that reflects this requirement by mandating listed companies to report annually their processes for monitoring and managing cyber threats. The rules will also require disclosure of cyber security risks and breaches in their public filings within four days of identifying a ‘material’ cyber security incident. While the SEC does not provide yet a definition of materiality, an attempt to put this ruling to the test occurred in November 2023, when a ransomware gang attacked MeridianLink, a software provider for the financial services industry. The hacker claimed that the company had violated the new SEC rules and reported this to the regulator. However, the hacker was mistaken, as the rules would not take effect until mid-December 2023 (1). Despite this, the event proves the importance of transparency, especially for responsible investors.

Royal London Asset Management cyber security engagement programme

In 2022, we supported a proposal (2) by the US SEC to require public companies to disclose material cyber security incidents and risks, as well as their policies and procedures for managing them.

This year, we have worked collaboratively with several of our clients and other asset owners to review and update our investor expectations on cyber security. We did this with the help of Royal London Group’s cyber defence team, to ensure they reflect the latest best practices and standards. We restructured our expectations into four pillars: governance, supply chain, culture, and collaboration. Our governance pillar, in particular, is aligned with the new SEC requirement, which requires companies to report on their cyber security governance, oversight, processes, and timely disclosures of cyber security incidents.

We welcome the SEC ruling as a positive step towards greater transparency and accountability in cyber security. We believe the rule enhances the regulatory risk that companies without adequate cyber security risk management may face censure and fines from regulators or incur large costs by disorderly management of the risks.

We continue to encourage companies to implement strong cyber security measures to safeguard their data and assets as we continue our cyber engagement programme. We believe that transparency and collaboration are key to addressing this systemic risk and creating long-term value for our clients and beneficiaries.

Our investor expectations on managing cyber risks

Pillar Investor Expectations
Governance
  • Risk identification and oversight at board level
  • A nominated Chief Information Security Officer (CISO), or equivalent, with supporting resources
  • Timely disclosure of cyber security breaches
  • Inclusion of information security and cyber resilience in executive compensation KPIs (Advanced)
  • Evaluation of cyber security in board effectiveness review (Advanced)
Supply Chain/M&A
  • Effective due diligence and monitoring of supply chain cyber security, in addition to including cyber covenants in supplier contracts
  • Inclusion of cyber considerations in inorganic growth strategies including in the due diligence and integration phases
Processes, Culture, and Training
  • Disclosures about a cyber resilient culture, to include innovative and tailored training across the workforce
  • Vulnerability management and penetration testing, such as the use of ethical hacking
  • Relevant cyber certification maintained, or independent audit report held (Advanced)
Collaboration
  • Collaboration with peers and government bodies to raise cyber security standards and manage systemic risk

 

(1) Is radical transparency the best weapon in companies’ cyber war?

(2) Railpen and cyber security coalition submit response to US cyber security proposal

 

This is a financial promotion and is not investment advice. Past performance is not a guide to future performance. The value of investments and any income from them may go down as well as up and is not guaranteed. Investors may not get back the amount invested. Portfolio characteristics and holdings are subject to change without notice. The views expressed are those of the author at the date of publication unless otherwise indicated, which are subject to change, and is not investment advice.