Cybersecurity Regulation Overview

In addition to the evolving cyber threat landscape, boards are also facing a more complex regulatory environment. The U.S. Securities and Exchange Commission (SEC) has adopted new cybersecurity rules that will take effect on December 15, 2023. These rules primarily target publicly listed companies, but they also apply to some private companies and should be on the radar of all organizations.

Key Provisions of the New Rules:

  • Mandatory cyber-incident reporting: Publicly listed companies must disclose material cybersecurity incidents within four business days in Form 8-K filings. This includes both domestic and private foreign issuers.
  • Disclosure of cybersecurity risk management and governance information: Companies must disclose details about their board’s oversight of cybersecurity risks in their annual Form 10-K and Form 20-F filings.
  • Board proficiency in cybersecurity: While not explicitly mandated, companies are expected to provide information on board members’ cybersecurity expertise.

The Impact on Private Companies:

While the rules specifically target public companies, private companies should also be aware of them. This is because:

  • Public companies rely on many third-party vendors, and a cyberattack on any of these vendors could have a material impact.
  • The SEC has shown a willingness to enforce cybersecurity regulations beyond public companies, as seen in recent cases involving Covington & Burling and Monolith Resources.
  • Understanding the SEC’s expectations can help private companies develop their own robust cybersecurity programs.

Compliance Reminders:

Cybersecurity is a complex and ever-evolving challenge requiring a comprehensive approach. Here are some key steps companies can take:

  • Involve senior stakeholders (CISO, CIO, CFO, GC / Auditor) in cybersecurity policy creation.
  • Regularly train and test employees on cybersecurity awareness.
  • Invest in cyber-resilience and response preparedness.
  • Assume cyberattacks are inevitable and plan accordingly.
  • Extend cybersecurity policies and practices to all third-party vendors.
  • Conduct regular board risk assessments and update policy reviews.

How Board of Directors Should Prepare

In terms of immediate actions, directors should start with board-wide cyber education to level the playing field and bring everyone up to a basic cyber literacy level. Consider engaging external experts to share comprehensive briefings and orientation sessions with the board.

Additionally, it may be helpful to assign a specific committee to own cybersecurity oversight. Ensure at least one of the members is “cyber credentialled” and has relevant knowledge and experience.

Given that the new rules also require public companies to disclose information about the board’s expertise in cybersecurity, directors may want to pursue taking external cybersecurity readiness courses and earning certification credentials.

There is an opportunity to update directors’ biographies in the proxy and other public disclosure documents. Highlight any existing cybersecurity experience of board members (this could include previous roles within cybersecurity companies, relevant technical backgrounds, or participation in industry-specific initiatives).

Maintaining Focus on Growth

As the December 15th deadline rapidly approaches, organizations must prioritize their cybersecurity posture and ensure compliance with the SEC’s new regulations. By implementing proactive measures, fostering a culture of cybersecurity awareness, and adhering to best practices, companies can minimize risks and begin building resilience.

However, it’s important not to let compliance become the sole focus of the board.

While cyber risks and regulatory burdens are important, they shouldn’t overshadow the board’s primary responsibility. Driving the company’s health and growth is the most important board role. Boards need to ensure that they are dedicating sufficient time and resources to strategic planning, risk management, and performance oversight.

Embracing a Holistic Approach

The new SEC cybersecurity regulations necessitate a proactive approach from boards. By understanding the regulations, preparing for compliance, and balancing cyber risks with growth initiatives, directors can ensure their companies thrive in this evolving digital landscape. Embracing a holistic approach will not only safeguard the organization from cyber threats but also propel its success in the long run.

  • PRINT: