According to the Cybersecurity & Infrastructure Security Agency, cybersecurity is the process by which information and communication systems, and the information contained in those systems, are protected and/or defended against damage, unauthorized use or modification. or exploitation. As the United States Securities and Exchange Commission (“SEC”) noted in 2018, in an increasingly digitally interconnected world, cybersecurity presents ongoing risks to businesses operating in all industries, including public companies regulated by the SEC.
Federal securities laws are designed to cause disclosure of information about risks and events that a reasonable investor would consider material to an investment decision. Cybersecurity presents an ever-increasing area of risk for all types of businesses and should therefore be considered in public disclosures.
As we noted in the Porter Hedges Anti-Corruption & Compliance blog post in May, the SEC is seeking to require additional information regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed new rules will require up-to-date hardware cybersecurity incident reports on a Form 8-K in four days after determining that the incident is significant and will require periodic information on:
- cybersecurity risk management policies and procedures;
- the role of management in implementing cybersecurity policies and procedures;
- the board’s cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- updates to significant cybersecurity incidents previously reported.
These new rules are intended to provide investors with more and timely information about material cybersecurity incidents and previously undisclosed material incidents that become material overall. Given the short four-day disclosure requirement, companies must be prepared for rapid investigation of incidents and ensure an effective and efficient reporting process to comply with the rules in a timely manner.
But in addition to this increase in incident reporting, these new rules will require regular disclosure of a company’s risk management, strategy and governance in the area of cybersecurity in general. What should your company consider given the governance aspect of these new rules?
First, public companies should review their risk management policies and procedures to ensure comprehensive cybersecurity risk management is included and up-to-date given the rapidly changing nature of the risk. Second, companies must also consider the role of the board of directors. The board, or a committee of the board, should have formal oversight of cybersecurity management. And third, companies need to consider the appropriateness, given the individual nature of the business and level of exposure, of adding cybersecurity expertise to the board.