Directors beware: How the SEC cybersecurity regulations are reshaping and re-risking corporate governance

Corporate cybersecurity has become a non-negotiable priority. In part due to the recent rules promulgated by the Securities and Exchange Commission (SEC). These rules require timely and full disclosure of material cybersecurity incidents and periodic disclosure of a company’s cybersecurity risk management, strategy, and governance in annual reports. The rules represent a profound shift in how businesses are mandated to manage their cybersecurity risks and are a testament to the growing recognition of cybersecurity as a, if not the significant risk companies face.

Historically companies have underestimated the magnitude of cybersecurity risks. It’s not just ‘another risk variable’; it’s an extinction-level event that can have profound implications for operations, reputation, and the bottom line. The SEC, recognizing the gravity of this risk, has taken steps to ensure that companies are not just aware of their cybersecurity risks but are taking and disclosing the substantive steps to manage them.

The newly introduced Form 8-K Item 1.05 mandates companies to disclose any cybersecurity incidents deemed to have material significance. While New Regulation S-K Item 106 requires companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance. In particular, the SEC now requires companies to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.”

SEC’s move to require such disclosures is evidence of a significant shift from previous regulations, where such disclosures were not explicitly required. Further, and arguably one of the most important takeaways of these new rules, is the requirement for companies to create a written record documenting their cybersecurity program. In our view, this serves as a testament to a company’s commitment to managing its cybersecurity risks and provides a basis for the SEC and private lawyers to hold a company accountable should they fail to manage these risks properly.

However, satisfying this new rule is not a simple task. Item 106 also requires companies to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

This rule goes beyond creating a mere document to submit to the SEC. It requires companies, and those in charge of governance, to understand (i.e., have the provable capacity to understand) that just having policies and controls in place is not sufficient to show that the board is exercising appropriate oversight of the cybersecurity program. While policies, controls, and governance are critical, the board must also be able to demonstrate that they have had an independent evaluation and that they are receiving information that shows they are appropriately tracking the cybersecurity program and its associated risks.

This effectively requires the board to have robust written documentation to demonstrate that they are complying with and fulfilling their duties as board members. They must show that they are actively managing cybersecurity risks as mandated by the SEC rules. As such, the mere existence of cybersecurity policies, controls, and governance absent tangible proof of their implementation is akin to fraud in that it is a materially false representation.

In conclusion, the new SEC rules signal a shift in corporate cybersecurity management. These rules, although challenging, offer an opportunity for companies to exhibit their commitment to managing these risks. With the right tools and services, such as those provided by Law & Forensics, businesses can not only comply with these new rules but also bolster their overall cybersecurity posture, thereby protecting their operations, reputation, and bottom line.

Disclaimer: The content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.