New SEC Cybersecurity Rules and What It Means for Board Oversight
The SEC adopted new rules surrounding cybersecurity risk management, strategy, governance, and incident disclosure. As a CISO, this no doubt impacts how your company discloses material cybersecurity incidents through a Form 8-K item and annually cybersecurity risk management and governance through the company’sForm 10-K. The final rule requires the 8-K to be filed within four business days after the company determines that it has experienced a material cybersecurity incident.
The new rules also add Regulation S-K Item 106, which according to the SEC “will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats (all in the 10-K).
Cybersecurity Incident Disclosure: The Executive Angle
The new rules require swift disclosure of material cybersecurity incidents. With executives being prime targets for cyberattacks, this is another signal that personal cybersecurity is an important component to any holistic cybersecurity solution. An attack on an executive’s or board member’s personal accounts could lead to a material incident that would now have to be reported within four business days.
Information is considered “material” by the SEC “if there is a substantial likelihood that it would be considered important by a reasonable investor in deciding whether to purchase or sell stock or other securities.”
The Harvard Law School Forum on Corporate Government posted a memorandum on the rule, specifically highlighting Item 106 will require companies to disclose the role of the board and management in cybersecurity governance. Companies are required to describe the board of directors’ oversight of risks from cybersecurity threats. Additionally, companies are required to describe management’s role in assessing and managing a company’s material risks from cybersecurity threats.
While the rules require annual insights into cybersecurity strategies, they don’t stop at the corporate level. The connection between personal and professional digital lives has never been more intertwined. BlackCloak understands that the assessment and management of risks must extend to the personal sphere of your executives, where threats can silently dwell.
The Time to Act Is Now
The rules go into effect 30 days after publication, with various deadlines for different disclosure types. From a board perspective, now is the time to revisit the company’s cybersecurity and resiliency approach against the overall business strategy, risk management, and cybersecurity resource allocation. This provides a critical window to reassess how you are safeguarding your board members’ and executives’ personal digital lives. The board and your executives’ understanding of and awareness of cyber risks is critical to organizational success and compliance. Three things to consider:
- It is important to have a clear and comprehensive process for what must be reported in concert with your General Counsel, outside counsel, and other partners.
- It is important to have a clear understanding of what is “material” and what is not.
- It is important for board members AND executives to understand their responsibilities for providing advice and guidance, and what their role is in assessing risk.
BlackCloak: Your Partner in Digital Executive Protection
BlackCloak understands the unique vulnerabilities board members and executives face. Personal cyber threats can indeed create corporate cybersecurity incidents, and these new rules underline the necessity of a robust defense.
We specialize in providing concierge cybersecurity solutions tailored to protect both the executive’s personal life and the organization they lead. Let’s work together to mitigate the risks and adhere to these groundbreaking SEC rules.
Please don’t hesitate to reach out to discuss how we can support elements of your cybersecurity plan to navigate this new regulatory landscape. Contact us today to learn more about how we can offer more secure futures and clear strategies.