Here in the United States, companies face a patchwork of legal obligations that address information security and data privacy. For example, federal laws target certain market segments (such as health care, financial services, and education), state laws target certain types of information (such as personal financial or biometric information), and both state and federal laws target unfair or unreasonable business practices. This patchwork—and the lack of comprehensive nationwide privacy and security standards—can make compliance challenging and frustrating. Security professionals and legal counsel must work hard to keep up.
The Security and Exchange Commission (SEC) will soon add to the patchwork. The SEC’s new rules promise to add significant compliance obligations for public companies, and non-public companies will also want to take note.
Timing: The SEC published draft rules in March 2022, reopened a comment period during the spring of 2023, and will likely issue final rules during the summer of 2023.
Who is affected: The SEC’s new rules would apply to public companies subject to the reporting requirements of the Securities and Exchange Act of 1934. However, any time a legislative body deems a cybersecurity or privacy practice mandatory for one market segment, companies in other segments should consider whether to voluntarily adopt something similar to maintain a reasonable information security program.
What the SEC is trying to accomplish: The SEC describes the proposed amendments as “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.” Regulators expect additional transparency and reporting will prompt companies to implement better security practices.
Reporting of incidents: Public companies would be required to disclose information about a material cybersecurity incident within four business days after it determines there was such an incident and to update disclosures over time.
Disclosure of policies, management’s role, and board activities: Public companies would be required to (1) describe cyber policies and procedures and state whether cybersecurity is part of business strategy, financial planning, and capital allocation; and (2) disclose information about board oversight of cybersecurity, and about the cyber expertise within management and on the board. Companies should take note of the level of detail within the requirements regarding “risk management and strategy” and “governance.”
In other SEC news: The SEC has also proposed new cybersecurity rules for broker-dealers, investment advisors, and asset managers, focusing on breach notification to affected individuals.
Final takeaways:
- This action by the SEC reflects increased recognition that cyber is one of the top risks to U.S. companies today.
- Public companies will face increased pressure to seat board members with cybersecurity experience.
- Compliance with these reporting requirements will require a great deal of work and the exercise of judgment.
- One would expect these new rules to lead to more SEC enforcement and more litigation on behalf of investors.
- Privately held companies face the same types of cyber risks as public companies and are well-advised to consider incorporating some of these rules voluntarily to lower business risk and increase resiliency. For example, there are good reasons to ensure appropriate cyber expertise in management and on the board. Management of a sophisticated privately held company will be hard-pressed to explain the lack of such expertise on the management team.
This article originally appeared on the CyberSecurity Summit Think Tank blog.