June 2, 2022

SEC’s Cybersecurity Proposal: Issues for Boards

The SEC hasn’t acted on its recent cybersecurity rulemaking proposal, but it seems apparent that any rules the agency adopts will ratchet up the demands on companies to effectively manage cyber risks & promptly disclose material cybersecurity incidents.  Since that’s the case, this Woodruff Sawyer blog offers up some suggestions on what issues boards should be thinking about now in order to position their companies to comply with these new demands.

The SEC’s proposal to require 8-K disclosure of material cybersecurity incidents within four business days “after the registrant determines that it has experienced a material cybersecurity incident” creates a couple of issues that will require board attention. This excerpt explains:

– Companies may need to bolster the efficiency of their disclosure committees. The proposed four-day rule may be unworkable; boards and management nevertheless have to make every effort to comply. Now is the time for companies to review who is on these committees, as well as what resources they have to be able to comply with the SEC’s proposed timeline for disclosure. Although the rule is four days from a materiality determination, the SEC has made it clear that it will have no patience for companies attempting to slow-walk a materiality determination.

– Companies will want to review how they think about the financial impact of a cyber breach. The four-day rule allows very little time for companies to assess the impact of a cyber incident after it has happened. As a result, the onus will be on companies to attempt to calibrate these costs ahead of time, or at least consider a methodology for doing so.

Other areas that the blog identifies as meriting board consideration include the advisability of adding a cybersecurity expert to the board and reassessing the limits of the company’s cyber insurance policy.

John Jenkins