Implement cyber security reporting requirements

Opinion
cyber security

THE Security Exchange Commission of Zimbabwe (SecZim) should implement the Cybersecurity Reporting Requirements that are in line with the Cyber Security and Data Protection Bill. Zimbabwe has a relatively well-developed digital economy with nine financial institutions listed on the Zimbabwe Stock Exchange (ZSE). With the introduction of the Cyber Security and the Data Protection Bill and the Act that is now law, it is now the duty of SecZim to protect the investors and shareholders from possible cyberattacks and cybercrimes. In the United States in March 2022, their Securities and Exchange Commission (SEC) proposed a set of rules and amendments that will bolster the financial sector’s defence against cyberattacks.

Zimbabwe does not have laws that require listed companies to report, disclose and publish any cybersecurity incidents at their institutions.  The aim is to disclose cybersecurity incidents to improve visibility into institution’s risk management and governance policies to better inform investors and potential investors.

In the US , the March 2022 proposal, covers cybersecurity incident disclosure and would amend Form 8-K that require listed companies to notify investors, shareholders and the USA SEC when an unscheduled material event such as a data breach takes place within four days of material determination.

It is important to note that material determination as stated leaves the door wide open for the subjective interpretation as to what is, and what is not, material for the purpose of disclosure. A form 8-K is a report of unscheduled material events or corporate changes at a company that could be of importance to the investors, shareholders or the SEC.

Also known as 8K, the report notifies the public of events, including acquisitions, bankruptcy, the resignation of directors, or changes in the fiscal year.

The second part of the US proposal requires that on a company’s form 10-K. The US federal securities laws require publicly reporting companies to disclose information on an ongoing basis. For example, domestic companies must submit annual reports on form 10-K, quarterly reports on form 10-Q, and current reports on Form 8-K for a number of specified events and must comply with a variety of other disclosure requirements.  The annual report on form 10-K provides a comprehensive overview of the company's business and financial condition and includes audited financial statements.

Although similarly named, the annual report on form 10-K is distinct from the annual report to investors and shareholders, which a company must send to its shareholders when it holds an annual meeting to elect directors.  The form 10-K would require them to include cybersecurity risk management and strategy, governance policies and procedures, management and the board of directors’ roles and responsibilities in implementing and overseeing them, as well as an amendment on item 407 of regulation S-K to disclose the cybersecurity expertise, if any, of the company’s board members.

While the incident disclosure portion of the US SEC’s proposed rules has caught the most attention, the new reporting requirements on the board of directors’ role in cyber risk strategy is what could make the biggest impact long-term. Many companies lack knowledge, training and a clearly defined way to report their cybersecurity posture and subsequent cyber risk to their own boards.

And many boards do not see cyber risk as a part of the business strategy. Under the US SEC’s new annual reporting rules, cybersecurity is now mission — critical for senior executives and boards of directors. The opacity of cyber risk will no longer be acceptable. With Zimbabwe growing more digital and complex, so too are the current cybersecurity threats through cyber intrusion, denial of service attacks, manipulation, misuse by insiders and other cyber misconduct.

In Zimbabwe, aspects of cybersecurity are the responsibilities of multiple government agencies, including SecZim.  Cybersecurity is also the responsibility of every market participant.  The Zimbabwe Stock Exchange (ZSE) and SecZim should be committed to working with international and local partners, market participants and others to monitor developments and effectively respond to cyber threats in Zimbabwe.

According to the “2021 Cyber Resilient Organisation Study” by the Ponemon Institute and IBM Security, only 26% of the US organisations have cybersecurity incident response plans that are applied consistently across the entire enterprise.  The cyber breach notification mandate gives companies just four business days to disclose a material event. That is not a lot of time, especially considering resources are likely focused on containing and remediating the breach. It is crucial that Zimbabwe’s  SEC has to develop a working incident response plan in advance so that there are clear lines of roles and responsibilities between cybersecurity teams, disclosure committees and legal teams to ensure that Zimbabwe SEC requirements are met without derailing remediation efforts. Tabletop exercises run at the board level are an effective way to pressure test a response plan and should be run at least once annually.For the last couple of years, it was the sole responsibility of the chief information officer (CIO) or a chief technology officer (CTO) to translate technology risk to business risk for the board that is if they were lucky enough to get a seat at the table.

Now that management and the board of directors are required to report on their roles in assessing and managing cyber risks, they will be more hunger for data, metrics and visibility they need to align cybersecurity to business priorities. Institutions need to close the communications gap between business unit leaders, CIOs, CTOs and boards of directors.  A cybersecurity “lingua franca,” or shared language, is made through defining and agreeing on the reporting and measurement criteria that reflect and align with the business objectives, internal policies and standards and external regulatory requirements.

Public (and private) companies should have internal cyber security structures and take this as an opportunity to evaluate the effectiveness of their current cyber reporting practices and procedures and determine where they excel, and where they fall short. It is about time that we get serious about addressing cyber risk and have ICT professionals appointed to Zimbabwe’s listed companies’ boards and have the correct training structures to educate, equip and empower Zimbabwean boards to protect themselves from cyberattacks and cyber intrusions that have serious legal implications on the chairs and their boards.

  • Mutisi is the CEO of Hansole Investments (Pvt) Ltd and the current chairperson of Zimbabwe Information & Communication Technology, a division of Zimbabwe Institution for Engineers.

 

Related Topics