A slew of recent cyberattacks and data breaches at Twitter and other large companies means the Security and Exchange Commission will soon adopt new rules on cybersecurity. First discussed in March of 2022, the new requirements are likely to include:
- Timely reporting of cybersecurity incidents
- Periodic updates on previously reported incidents
- Proxy disclosure on the cybersecurity expertise of board directors
Language in the new rules also specifies “periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.”
At this time, boards of directors should consider the following questions as they ready themselves to comply with new SEC rules.
How do we currently detect cyberattacks? How do these systems compare to those of other companies? Are these systems up to date as recommended by cybersecurity industry leaders?
An honest assessment of current cybersecurity systems will both identify vulnerabilities and create a basis for comparison against newly released requirements. This information can be used to update and improve systems. It can also provide valuable information for reporting to shareholders and evidence in the event of a lawsuit.
Does the board possess enough cybersecurity expertise to both protect the company now and encourage necessary evolution in the future?
Expertise is necessary in order to accurately assess the company’s current cybersecurity risks. The board should consider whether to appoint an internal committee for the purpose of mitigating cybersecurity risks and communicating with management.
How will management address cybersecurity risks involved in interactions with third-party vendors and suppliers?
A network is only as secure as its weakest point on that network. Additionally, third-party vendors and suppliers are often overlooked. This can be a grave mistake; smaller companies might not have access to the same level of cybersecurity tools.
Management should seek a detailed risk assessment of working with third-party vendors and suppliers and consider whether certain standards should be set with regard to these companies. Communication of cybersecurity risks and procedures with all contacts should become a standard part of business operations.
For more on your cybersecurity risk and liabilities, contact our office. We can help you understand how to comply with all current and future regulations.