Boards' Cyber Scrutiny May Grow
Security Management has partnered with SHRM to bring you relevant articles on key workplace topics and strategies.
While boards of directors have long been interested in the C-suite’s cybersecurity strategy, given boards’ core oversight and fiduciary duties, a new rule issued by the U.S. Securities and Exchange Commission (SEC) in July 2023 is likely to heighten that interest and engagement even further—and raise expectations for how CEOs report to boards on their companies’ cybersecurity strategies and practices.
The SEC rule requires companies to disclose material cybersecurity incidents they experience within four business days of occurrence and also disclose on a yearly basis “material information” concerning their cybersecurity risk management, strategy and governance practices. The disclosures will be due beginning with annual reports for fiscal years ending on or after 15 December 2023.
Amy de La Lama, a partner with law firm Bryan Cave Leighton Paisner in Boulder, Colorado, and chair of its global data privacy and security practice, says the new SEC rule will cause boards to give even greater scrutiny to how CEOs and chief information security officers create prevention and instant response plans related to cybercrime.
“I think boards will be increasingly more interested and concerned about how organizations are preparing for cyberattacks, and CEOs should be prepared to start reporting and engaging boards in much greater detail on that,” de La Lama says.
Paul Furtado, a vice president analyst with Gartner, says the new regulatory requirements should give CEOs even more incentive to educate themselves on cybercrime issues and build cybersecurity preparedness programs that stand up to board and investor scrutiny.
“The SEC rule changes also create mandatory regulatory accountability at the board level,” Furtado says. “That elevates the cybersecurity question into the highest level in a company: the boardroom.”
Dave Zielinski is a freelance business journalist in Minneapolis, Minnesota.