The U.S. Securities and Exchange Commission (SEC) has proposed new cybersecurity regulations for companies that fall under its regulatory umbrella. This proposal has been in development for some time, and highly needed to address growing cybersecurity risk. In this article, we will outline the key components of the proposed rule and explain why it is important for all boards, not just those with public companies.

Overview of the proposed SEC Cybersecurity rule

The proposed SEC rule has four main components. First, it requires companies to have written cybersecurity policies and procedures that are designed to protect the confidentiality, integrity, and availability of their information systems (commonly referred to as the CIA triangle). These policies and procedures should be tailored to the specific risks and vulnerabilities of the company and should be regularly reviewed and updated.

Second, the proposed rule requires companies to implement controls to ensure that their employees, contractors, and partners are trained and knowledgeable about cybersecurity risks and best practices. This includes regular training and awareness programs, as well as policies and procedures for reporting cybersecurity incidents and suspicious activity.  It is these controls that are the focus of most certification programs such as: ISO 2X001, SOC 2, CMMC, PCI, etc.

Third, the proposed rule requires companies to conduct regular risk assessments to identify and assess the likelihood and potential impact of cybersecurity threats and vulnerabilities. These risk assessments should be conducted by qualified personnel or third-party experts and should be reviewed and updated on a regular basis. In our opinion, all boards should consider external agencies for these assessments to mitigate conflict of interest. (i.e. The CIO may be conflicted to report security leaks to the board since they are in charge of building and managing a secure network.)

Finally, the proposed rule requires companies to maintain a comprehensive incident response plan that outlines the steps they will take in the event of a cybersecurity incident. This plan should be designed to minimize the impact of an incident, contain the damage, and restore normal operations as quickly as possible.  This may sound like operations to a board, but there is a component all boards should consider: public review. In the face of an incident, the public may get involved and board members may be asked for statements. It is important that the board be aware of who the spokesperson should be and that person should be well trained in answering questions.

Corporate Boards need an outside point of view

Why the proposed SEC Cybersecurity rule is important

Many board members incorrectly minimize cybersecurity, classifying it as an operational issue. There are several reasons why the proposed SEC Cybersecurity rule addresses this head on. First, cybersecurity threats are an ever-present risk for companies of all sizes and industries. Cyberattacks can result in significant financial losses, reputational damage, and legal liability. Each of these risks fall squarely in the realm of board oversight.  The proposed rule will force public companies to disclose cybersecurity and that will force boards to better understand and manage their cybersecurity risks.

Second, the proposed rule will help to create a more consistent and standardized approach to cybersecurity risk management across the companies regulated by the SEC. This will make it easier for investors, analysts, and other stakeholders to compare and evaluate the cybersecurity risk profiles of different companies. It will also make it easier for the SEC to monitor and enforce compliance with the rule.

Third, the proposed rule will require disclosure of cybersecurity expertise on the board. Akin to Sarbanes Oxley requiring boards to have financial expertise, this may be a significant advancement of how boards view cybersecurity. It will help to promote a culture of cybersecurity within companies. By requiring companies to implement cybersecurity policies, training programs, risk assessments, and incident response plans, the proposed rule will encourage companies to take a proactive approach to cybersecurity risk management. This will help to ensure that cybersecurity is given the attention it deserves at all levels of the organization.

Finally, the proposed rule will help to enhance transparency and accountability around cybersecurity risk management. By requiring companies to disclose information about their cybersecurity risks and practices, investors and other stakeholders will have better visibility into the cybersecurity risk profiles of the companies they invest in or do business with. This will help to promote better decision-making and risk management across the entire ecosystem.

Presentation to the board

Why should private companies care about this?

Private and nonprofit companies are not regulated by the SEC, so why should this matter? Again, we look at Sarbanes Oxley Act for how this may play out.  Twenty years ago SOX changed the boardrooms of public companies to mandate financial expertise on the board. Today all boards have financial expertise on the board, private and nonprofits included.  The simple truth is that private companies tend to align to industry best practices, often set by public companies. As public boards change, we will see a parallel change in private companies. 

Conclusion

The proposed SEC Cybersecurity rule is an important step forward in improving the cybersecurity risk management practices of companies regulated by the SEC. It will help to reduce the likelihood and impact of cyber incidents, create a more consistent and standardized approach to cybersecurity risk management, and promote a culture of cybersecurity within companies. Additionally, the rule will establish best practices which will effect private and nonprofit boards as well. As such, it is essential that board-level professionals familiarize themselves with the proposed rule and take steps to ensure their organizations are compliant if and when the rule is finalized.


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Paul Bergman
Follow me