What are SEC Cybersecurity Regulations for Public Companies?
Cyber-resilience is defined as the ability of an organization to continue to function, even in a degraded manner, after components of the organization have been disrupted due to information system failures that randomly occur or are consequences of a cyberattack1. The ultimate goal of a cyber-resilient organization would be to have zero disruption from a cyberattack. With the increasing threats of cyberattacks, and the potential for devastating consequences, boards should be considering cybersecurity risk management and cyber-resiliency as important aspects of their oversight responsibilities. If public companies have not already adopted this perspective focusing on protection and resiliency, new SEC regulations will help move them along.
The U.S. Securities and Exchange Commission (SEC) has proposed amendments to their rules aimed at enhancing and standardizing disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Regarding governance, the SEC states2:
Disclosure regarding board oversight of a registrant’s cybersecurity risk and the inclusion or exclusion of management from the oversight of cybersecurity risks and the implementation of related policies, procedures, and strategies impacts an investor’s ability to understand how a registrant prepares for, prevents, or responds to cybersecurity incidents.
Accordingly, proposed Item 106(c) would require disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.
Specifically, as it pertains to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:
- Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
- Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.
In order to provide appropriate oversight, to inform investors about the organization’s cybersecurity position, and to comply with these new SEC regulations, board members are going to need to prepare to address the many facets of cybersecurity activities including:
- Resources and investments in cybersecurity risk management
- Cyber-resiliency planning
- Cybersecurity education and training for board members and executives
- Cybersecurity communication and language
1 Choudhury, et al., 2015, “Action Recommendation for Cyber Resilience”
2 SEC, 2022, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”