From a regulatory perspective, many industries have been living in the land of milk and honey as cyber programs have largely been guided by voluntary measures. However, regulator’s patience has grown thin with the public private partnership / voluntary measures approach and, as a result, cybersecurity regulation is on the way.
Under SEC rules expected to be finalized within months, publicly traded companies that determine a cyber incident has become “material” (and could have a significant impact on the business) must disclose details to the SEC and investors within 4 business days.
James Dever Esq., Principal of Lockhaven Solutions
We know that change is coming on a national level as the pending Biden cyber strategy is strongly considering regulation as a means to better accomplish more consistency in national approach. But what about individual regulators? Well, some of them are certainly not sitting on their hands- most notable the Security and Exchange Commission (and the New York Department of Financial Services).
Reporting and responsibility are the two biggest changes coming down the pike. Under SEC rules expected to be finalized within months, publicly traded companies that determine a cyber incident has become “material” (and could have a significant impact on the business) must disclose details to the SEC and investors within 4 business days. That requirement also stands when “a series of previously undisclosed, individually immaterial cybersecurity incidents has become material in the aggregate.”
The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cybersecurity and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk.
James Dever Esq., Principal of Lockhaven Solutions, says that increasing the onus on boards will help ensure cyber programs are dealt with like other business risk, “Cybersecurity is a strategy, not a technical solution” says Dever, “the change in approach driven by this regulation will finally help align risk with strategy, something that has been severely lacking in industries that attempt to deal with cyber risk simply by employing ever-more expensive technical solutions.” Dever added, “in addition, this will help improve accountability to shareholders, an issue sorely lacking in the cyber context.”
Beyond the increase to reporting and responsibility, what is the practical “so what” of these regulators getting more involved in the cyber space? These regulators can also impose enforcement actions and levy massive fines, which, in the financial crimes world, have amounted to hundreds of millions of dollars.
Safe to say things are changing and businesses need to face into these new requirements as soon as possible as more regulators will likely be following the lead of the SEC and NYDFS in 2023.