Some aspects of the US Securities and Exchange Commission (SEC)’s stringent new cyber rulings, which officially became law this week, may come as an unpleasant shock to many CEOs and their boards.
While the SEC is giving companies a 14-week grace period until December 18 this year, the new rulings still represent a tight deadline for many companies to get up to speed on their cybersecurity practices and accounting before the Christmas break. Companies will be automatically obliged to disclose material cybersecurity incidents they experience within four days and also to disclose material information regarding their cybersecurity risk management, strategy, and governance on an annual basis.
These disclosure guidelines effectively mean that it will no longer be possible for CEOs and board members to delegate responsibility entirely to the IT department, nor will it be possible for company information offices (CIOs) to hide behind a wall of statistics and alphabet soup. The requirement for public companies to disclose information related to cybersecurity governance in annual reports includes submitting separate descriptions of the role of each member of the board and management in overseeing cybersecurity risk, together with each individual’s relevant cybersecurity experience.
Boards must know as much about cybersecurity as they do about finance
In a newly published guide to the SEC rulings,” Key Actions for Public Companies under the SEC’s New Cybersecurity Rules”, US law firm Venables LLP strongly recommends that companies provide detailed information on the exact processes by which management is informed of cybersecurity threats and how it monitors the prevention, detection, and mitigation of cybersecurity incidents.
With its stringent new cyber rulings, the SEC seems to be finally calling time on the knowledge gap that has long existed between company boards and their IT departments. Board members of listed US companies across all sectors will need to close this gap, which in many organizations has become a gulf, before December 18. Company CEOs and their boards will each be expected to be as informed about cybersecurity as they currently are about finance.
In the face of growing cybercrime and cyber-espionage, the SEC is taking corporate security very seriously and has already shown it is prepared to issue stiff penalties for cybersecurity non-compliance. Last year, the SEC fined Morgan Stanley $35 million for the bank’s repeated failure to ensure secure replacement of company hard drives and servers, which led to the exposure of the personal data belonging to approximately 15 million customers.
