According to the Cybersecurity & Infrastructure Security Agency, cybersecurity is the process whereby information and communications systems, and the information contained in those systems, are protected from and/or defended against damage, unauthorized use or modification, or exploitation. As noted by the U.S. Securities and Exchange Commission (“SEC”) in 2018, in a world more and more interconnected digitally, cybersecurity presents ongoing risks to companies operating in all industries, including public companies regulated by the SEC.
Federal securities laws are designed to provoke disclosure of information about risks and events that a reasonable investor would consider important to an investment decision. Cybersecurity presents an ever-growing area of risk to all types of business, and therefore must be considered with regard to public disclosures.
As we noted in the Porter Hedges Anti-Corruption & Compliance blog post in May, the SEC is seeking to require additional disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed new rules will require current reporting about material cybersecurity incidents on a Form 8-K within four days after the determination that the incident is material and will require periodic disclosures about the company’s:
- policies and procedures to manage cybersecurity risks;
- management’s role in implementing cybersecurity policies and procedures;
- the cybersecurity expertise of the board of directors, if any, and its oversight of cybersecurity risk; and
- updates to previously reported material cybersecurity incidents.
These new rules are intended provide investors with more and timely disclosures about material cybersecurity incidents and previously-undisclosed immaterial incidents that become material in the aggregate. Given the short, four-day disclosure requirement, companies must be prepared for the rapid investigation of incidents and ensure an effective and efficient reporting procedure to timely comply with the rules.
But in addition to this increased incident reporting, these new rules will require regular disclosure about a company’s risk management, strategy, and governance in the realm of cybersecurity overall. What should your company consider in light of the governance aspect of these new rules?
First, public companies should review their risk management policies and procedures to ensure that fulsome cybersecurity risk management is included and up to date given the rapidly evolving nature of the risk. Second, companies must also consider the role of the board of directors. The Board, or a Board committee, should have formal oversight of cybersecurity management. And third, companies must consider the appropriateness, given the individual nature of business and level of exposure, of adding cybersecurity expertise to the Board.
Heather Hatfield represents clients in corporate investigations, white-collar crime investigations and defense involving the Foreign Corrupt Practices Act (FCPA), complex contract disputes, oil and gas litigation ...
Blake Runions assists clients with broad range of business disputes and investigatory matters, including partnership disputes, internal investigations, and commercial litigation.
Prior to joining the Firm, Blake worked in the ...
Jamie Godsey represents public and private corporations, partnerships, and small companies on a broad range of complex business and commercial litigation. Her experience includes a wide variety of matters such as contractual ...
- Update on Russian-Related Sanctions and Export Controls
- Best Practices to Prevent Internal Fraud and Embezzlement
- Cybersecurity Best Practices: Disclosure Requirements for Risk Management, Strategy, and Governance
- Cybersecurity Risk Management Practices for Small and Midsize Businesses
- Overview of New Cybersecurity Disclosure Rules for Public Companies
- Increased Focus on Cybersecurity Warrants Review of Policies and Procedures
- DOJ Issues Expedited FCPA Opinion Procedure
- Companies Must Review Compliance Policies Following New Sanctions of Russian Financial Institutions and Individuals
- Anti-Corruption Enforcement: 2021 Year-In-Review
- Credit Suisse Settlement Carries Broader Lessons about Reputational Risk
- November 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019