Are you ready for the SEC’s proposed cybersecurity disclosure requirements?
The U.S. Securities and Exchange Commission (SEC) has proposed new rules to enhance reporting of cybersecurity incidents for public companies. The proposed item, 106(b) of Regulation S-K, requires registrants to provide more consistent and informative disclosures regarding their cybersecurity risk management strategy. This comes after the SEC found companies were lacking in the relevant risk management policies and procedures reported on.
In this article, Nick Stone, Head of Audit at Kainos, considers the changes to cybersecurity reporting and outlines what this means for Workday customers.
What do the proposed changes mean?
The new rules require more detailed reporting of material cybersecurity incidents, as well as periodic disclosures about a company’s policies and procedures to identify and manage cybersecurity risks. These changes also look to get a better understanding of what an organisation’s management’s role would be in implementing cybersecurity policies and procedures.
The SEC felt this change was necessary as current disclosures appeared to underreport the number of cybersecurity risks companies faced. The current reporting system also failed to provide a clear picture of who was responsible for managing an incident in the event of a cybersecurity breach, and what, if any, the board’s level of expertise is in understanding and responding to such incidents.
When referencing a cybersecurity incident, what do we mean?
The SEC defines a cybersecurity incident as, “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardises the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”
This threat to an organisation’s integrity can significantly impact business strategies, financial results, and related disclosures. For example, for companies that collect and store personally identifiable information (PII), a cybersecurity incident can lead to reputational damage and regulatory fines. While monetary fines can affect a company’s finances in the short-term, reputational damage can lead to longer-term consequences. As a result, investors will also seek assurances regarding an organisation’s risk management strategy to understand what efforts they take to minimize the possibility of a cybersecurity incident.
How Workday supports the proposed SEC cybersecurity disclosure requirements
The proposed new disclosure rules have a strong focus on IT controls including security and monitoring. For Workday customers, this means risk management teams must ensure they operate under a mature risk management strategy that contemplates Workday risks inclusive of critical data over employees, customers, suppliers, and financial disclosures.
Workday is audit ready, but leveraging Workday capabilities to monitor sensitive data, business transactions and account activity requires planning and pragmatic use of automation.
At Kainos, we know risk management and we know Workday. Our Smart Audit solution fully automates risk identification and risk monitoring critical IT risks within Workday.