Below is an excerpt from ISS Corporate Solution’s recently released article “SEC Cybersecurity Rules Set New Hurdles for Public Companies”. The full article is available on the ISS Corporate Solutions online library.
The SEC Mandates Disclosures for Risk Management, Governance and Cyber Incidents
The Securities and Exchange Commission (SEC) this week adopted new rules requiring public companies to annually disclose their cybersecurity risk management strategies and governance methods, and to promptly disclose material cybersecurity incidents.
The regulations were revised after the SEC received more than 150 formal comments during its review process, most notably regarding limited national security /public safety exceptions to the timing of disclosures for certain cyber incidents and dropping the long-anticipated requirement that companies’ boards disclose the cyber-related expertise of board members.
It is important to note that these regulations are entirely about disclosure and do not necessarily require companies to make any specific changes to their cybersecurity risk management (or even have a risk management program at all.) That means it falls to investors and other stakeholders to decide whether a company is addressing these risks adequately.
This gives companies an opportunity to produce disclosures that don’t just provide the required information, but demonstrate a robust and improving management of cybersecurity risks. Companies will be incentivized to provide information that is perceived positively and that, in turn, will drive improvements in their practices.
Douglas Clare, Managing Director, Cyber Strategy, ISS Corporate Solutions