Jacob Mutisi

SEC should protect investors through Cyber Security and Data Protection Bill

Getting your Trinity Audio player ready…
Writes Engineer Jacob Kudzayi Mutisi
Zimbabwe has a relatively well-developed digital economy with nine financial institutions listed on the Zimbabwe Stock Exchange (ZSE). With the introduction of the Cyber Security and the Data Protection Bill and the act that is now law. It is now the duty of the Zimbabwe Securities Exchange Commission (SEC) to protect the investors and shareholders from possible cyber attacks and cyber crimes.
In the USA in  March 2022, the Securities and Exchange Commission (SEC) proposed a set of rules and amendments that will bolster the financial sector’s defence against cyberattacks. Zimbabwe does not have laws that require listed companies to report, disclose, and publish any cybersecurity incidents at their institutions.
The aim to disclose cybersecurity incidents helps to improve visibility into an institution’s cybersecurity risk management and governance policies to better inform investors and potential investors.
In the USA, the March 2022 proposal, covers cybersecurity incident disclosure and would amend Form 8-K which require listed companies to notify investors, shareholders, and the USA SEC when an unscheduled material event such as a data breach takes place within four days of material determination. It is important to note that material determination as stated leaves the door wide open for the subjective interpretation of what is, and what is not, material for the purpose of the disclosure.
A Form 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to investors, shareholders, or the Securities and Exchange Commission (SEC). Also known as 8K, the report notifies the public of events, including acquisitions, bankruptcy, the resignation of directors, or changes in the fiscal year.
The second part of the USA proposal requires that on a company’s Form 10-K. The USA federal securities laws require publicly reporting companies to disclose information on an ongoing basis. For example, domestic companies must submit annual reports on Form 10-K, quarterly reports on Form 10-Q, and current reports on Form 8-K for a number of specified events and must comply with a variety of other disclosure requirements.
The annual report on Form 10-K provides a comprehensive overview of the company’s business and financial condition and includes audited financial statements. Although similarly named, the annual report on Form 10-K is distinct from the annual report to investors and shareholders, which a company must send to its shareholders when it holds an annual meeting to elect directors. The Form 10-K would require them to include cybersecurity risk management and strategy, governance policies and procedures, management and the board of directors’ roles and responsibilities in implementing and overseeing them, as well as an amendment on Item 407 of Regulation S-K to disclose the cybersecurity expertise, if any, of the company’s board members.
While the incident disclosure portion of the USA SEC’s proposed rules has caught the most attention, the new reporting requirements on the board of directors’ role in cyber risk strategy is what could make the biggest impact long-term. Many companies lack knowledge, training, and a clearly defined way to report their cybersecurity posture and subsequent cyber risk to their own boards. And many boards do not see cyber risk as a part of the business strategy. Under the USA,  SEC’s new annual reporting rules, cybersecurity is now mission-critical for senior executives and boards of directors. The opacity of cyber risk will no longer be acceptable.
With Zimbabwe growing more digital and complex, so too are the current cybersecurity threats through cyber intrusion, denial of service attacks, manipulation, misuse by insiders, and other cyber misconduct. In Zimbabwe, aspects of cybersecurity are the responsibilities of multiple government agencies, including the Zimbabwe SEC. Cybersecurity is also the responsibility of every market participant. The Zimbabwe Stock Exchange (ZSE) and SEC should be committed to working with international and local partners, market participants, and others to monitor developments and effectively respond to cyber threats in Zimbabwe.
According to the “2021 Cyber Resilient Organization Study” by the Ponemon Institute and IBM Security, only 26% of the USA organizations have cybersecurity incident response plans that are applied consistently across the entire enterprise. The cyber breach notification mandate gives companies just four business days to disclose a material event. That is not a lot of time, especially considering resources are likely focused on containing and remediating the breach.
It is crucial that Zimbabwe’s  SEC has to develop a working incident response plan in advance so that there are clear lines of roles and responsibilities between cybersecurity teams, disclosure committees, and legal teams to ensure that Zimbabwe’s SEC requirements are met without derailing remediation efforts. Tabletop exercises run at the board level are an effective way to pressure test a response plan and should be run at least once annually.
For the last couple of years, it was the sole responsibility of the chief information officer (CIO) or a chief technology officer (CTO) to translate technology risk to business risk for the board, that is if they were lucky enough to get a seat at the table. Now that management and the board of directors are required to report on their roles in assessing and managing cyber risks, they are going to be hungry for the data, metrics, and visibility they need to align cybersecurity to business priorities.
Institutions need to close the communications gap between business unit leaders, CIOs, CTOs, and boards of directors. A cybersecurity “lingua franca,” or shared language, is made through defining and agreeing on the reporting and measurement criteria that reflect and align with the business objectives, internal policies and standards, and external regulatory requirements. Aligning these metrics will let everyone from the technical security practitioners to the board of directors discuss cyber risk in the same context as the overall business objectives.
Public (and private) companies should have internal cyber security structures and take this as an opportunity to evaluate the effectiveness of their current cyber reporting practices and procedures and determine where they excel, and where they fall short. It is about time that we get serious about addressing cyber risk and have ICT professionals appointed to Zimbabwe’s listed companies boards and have the correct training structures to educate, equip and empower Zimbabwean boards to protect themselves from cyber attacks and cyber intrusions that have serious legal implications on the chairs and their boards.
For more detail please call +263772278161 or chair@zict.org.zw