The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure require public companies to describe their cybersecurity programs in their periodic reporting and how they manage RISK.
The rules were designed to help investors make informed investment decisions on a company with cybersecurity risk information and encouraging companies to continually improve their oversight and management of cyber risk. With the adoption of these requirements, public companies need to review their existing security programs to assess their SEC compliance. Based upon their reporting schedule, some organizations may need to comply before the end of the year. The main areas include disclosure of material cybersecurity incidents and annual reporting on cybersecurity risk management.
As more information surface on these regulations, companies will need to review their current security posture and establish policies and procedures to maintain compliance. The transition is a challenging one, as it would require a wholistic view of cyber risks across the organization, the harm it could cause not just to the company, but to the public, and how significant a risk’s impact could be. In essence, businesses would need to do their duty of care to establish reasonable security.
Best practice would be to access the Duty of Care Risk Analysis (DoCRA) standard to understand a company’s acceptable risk. The Reasonable Risk GRC SaaS Platform incorporates the essential data, project management capabilities, and executive reporting esssential for compliance.
Guidance on the SEC Cybersecurity Rules and Risk Management
Compliance Week Webinar: Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.
Here are a few articles from the SEC on the update. More references and analysis from HALOCK will be published in the coming weeks.
Statement on Public Company Cybersecurity Disclosures
Improving the Quality of Cybersecurity Risk Management Disclosures
Statement on Cybersecurity Adopting Release
Public Company Cybersecurity Disclosures; Final Rules