In addition to the evolving cyber threat landscape, boards are also facing a more complex regulatory environment. The U.S. Securities and Exchange Commission (SEC) has adopted new cybersecurity rules that will take effect on December 15, 2023. These rules primarily target publicly listed companies, but they also apply to some private companies and should be on the radar of all organizations.
Key Provisions of the New Rules:
The Impact on Private Companies:
While the rules specifically target public companies, private companies should also be aware of them. This is because:
Cybersecurity is a complex and ever-evolving challenge requiring a comprehensive approach. Here are some key steps companies can take:
How Board of Directors Should Prepare
In terms of immediate actions, directors should start with board-wide cyber education to level the playing field and bring everyone up to a basic cyber literacy level. Consider engaging external experts to share comprehensive briefings and orientation sessions with the board.
Additionally, it may be helpful to assign a specific committee to own cybersecurity oversight. Ensure at least one of the members is “cyber credentialled” and has relevant knowledge and experience.
Given that the new rules also require public companies to disclose information about the board’s expertise in cybersecurity, directors may want to pursue taking external cybersecurity readiness courses and earning certification credentials.
There is an opportunity to update directors’ biographies in the proxy and other public disclosure documents. Highlight any existing cybersecurity experience of board members (this could include previous roles within cybersecurity companies, relevant technical backgrounds, or participation in industry-specific initiatives).
Maintaining Focus on Growth
As the December 15th deadline rapidly approaches, organizations must prioritize their cybersecurity posture and ensure compliance with the SEC’s new regulations. By implementing proactive measures, fostering a culture of cybersecurity awareness, and adhering to best practices, companies can minimize risks and begin building resilience.
However, it’s important not to let compliance become the sole focus of the board.
While cyber risks and regulatory burdens are important, they shouldn’t overshadow the board’s primary responsibility. Driving the company’s health and growth is the most important board role. Boards need to ensure that they are dedicating sufficient time and resources to strategic planning, risk management, and performance oversight.
Embracing a Holistic Approach
The new SEC cybersecurity regulations necessitate a proactive approach from boards. By understanding the regulations, preparing for compliance, and balancing cyber risks with growth initiatives, directors can ensure their companies thrive in this evolving digital landscape. Embracing a holistic approach will not only safeguard the organization from cyber threats but also propel its success in the long run.