Topics: Corporate Governance,Cybersecurity,Technology
Topics: Corporate Governance,Cybersecurity,Technology
June 7, 2022
June 7, 2022
Gone are the days when cybersecurity was just an information technology (IT) problem. Cyber risk is central to business risk, making it a board-level issue. For the first time, a proposed rule set from the US Securities and Exchange Commission (SEC) will require virtually all commission registrants to provide a series of cybersecurity disclosures within mandated annual and quarterly reporting. This decision is a nod to the importance of cybersecurity standards and what investors need to know to make an informed decision.
There have been several cybersecurity-centered proposals for registered investment advisors and funds of late, including the Cybersecurity Disclosure Act of 2017, the Strengthening of America Cybersecurity Act in March 2022, and the Better Cybercrime Metrics Act that just passed last month. This proposed rule drives standardization around reporting and what constitutes an incident or a breach as essential to safeguarding business against attackers.
Specifically, the SEC’s proposed rules will:
Note the importance the rule set places on board directors. By mandating cybersecurity information disclosure via the 10-K, there’s a big focus on oversight and “management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.”
The SEC is finally driving standards to help establish the critical role of corporate governance in security across all sectors. With the proposal focusing on themes of cyber risk, governance structure, and metrics and analytics to fuel oversight, here are some questions you should be asking now to ensure readiness for the forthcoming rule:
Will the rule set come to pass? Yes, in this writer’s humble opinion. I recommend we treat the proposed role as a coming mandatory regulation and start preparing now. Cybersecurity should be looked at as an enabler of any company’s growth and digital transformation strategy, with cyber resilience critical to a company’s future success. While the details of the final rule may vary slightly, the principles of risk management, governance, resilience, and attention to third party risk are and will remain best practice areas for cybersecurity programs.
In addition, penalties for violations will likely be steep. Recent SEC examples of penalties for smaller scale control failures are numerous and total well over $1 million in fines. Additionally, as the proposed rules are tied to annual investor reports, failure to adhere to them will also impact an organization’s brand and reputation and can skew investment and credit ratings.
The bottom line is that cybersecurity must encompass an entire organization from the boardroom to the mailroom to be effective against the increasingly sophisticated threats we’re seeing today and will continue to see in the future. The SEC’s proposed rules are an important step in securing corporate registrants’ success.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv. For more information on this topic, watch Optiv’s on-demand webinar on SEC rule readiness.