Skip to content
Menu
menu

Illustration by Security Management; iStock

Boards' Cyber Scrutiny May Grow

By Dave Zielinski
18 December 2023

Focus on Cyber Incident Response

Security Management has partnered with SHRM to bring you relevant articles on key workplace topics and strategies.

While boards of directors have long been interested in the C-suite’s cybersecurity strategy, given boards’ core oversight and fiduciary duties, a new rule issued by the U.S. Securities and Exchange Commission (SEC) in July 2023 is likely to heighten that interest and engagement even further—and raise expectations for how CEOs report to boards on their companies’ cybersecurity strategies and practices.

The SEC rule requires companies to disclose material cybersecurity incidents they experience within four business days of occurrence and also disclose on a yearly basis “material information” concerning their cybersecurity risk management, strategy and governance practices. The disclosures will be due beginning with annual reports for fiscal years ending on or after 15 December 2023.

Amy de La Lama, a partner with law firm Bryan Cave Leighton Paisner in Boulder, Colorado, and chair of its global data privacy and security practice, says the new SEC rule will cause boards to give even greater scrutiny to how CEOs and chief information security officers create prevention and instant response plans related to cybercrime.

“I think boards will be increasingly more interested and concerned about how organizations are preparing for cyberattacks, and CEOs should be prepared to start reporting and engaging boards in much greater detail on that,” de La Lama says.

Paul Furtado, a vice president analyst with Gartner, says the new regulatory requirements should give CEOs even more incentive to educate themselves on cybercrime issues and build cybersecurity preparedness programs that stand up to board and investor scrutiny.

“The SEC rule changes also create mandatory regulatory accountability at the board level,” Furtado says. “That elevates the cybersecurity question into the highest level in a company: the boardroom.”

 

Dave Zielinski is a freelance business journalist in Minneapolis, Minnesota.

© 2023 SHRM. This article is reprinted from SHRM.org with permission from SHRM. All rights reserved.

Focus on Cyber Incident Response

For Cyber Incident Response, Bad News Needs to Travel Faster

How to Prepare for Heightened Board Involvement in Cybersecurity

Vulnerabilities Aren’t New, but the Speed of Incidents Is

Breaking Silos Leads to Better Security

Cybersecurity is a Serious Skill Gap for CEOs

How Proactive Incident Response Planning Reduces Breach Costs

Boards' Cyber Scrutiny May Grow

Fast Facts: How Much Do Data Breaches Cost?

Best of Security Management

Security Vulnerability Allows Intruders to Unlock Hotel Rooms Using Forged Keycards

4 Steps to Mitigate Crime Risks at Houses of Worship

Creativity in Motion: 7 Armored Vehicles that Show the Range of Reinforcement

Getting Visitor Management Right in Access Control

In the Wake of Mass Layoffs, Insider Threats Multiply

Alarming Trends in Cannabis Crime—There’s a Standard for That
arrow_upward