TheCorporateCounsel.net

During the “Taking a Fresh Look at Company Policies” panel that I moderated at the Northwestern Securities Regulation Institute yesterday, we discussed how a focus on two key technology matters will require taking a fresh look at company policies.

We discussed how the SEC’s cybersecurity disclosure rules may require a number of adjustments to policies and procedures related to cybersecurity. Companies may need to establish or revisit a framework for assessing the materiality of cybersecurity incidents “without unreasonable delay” after discovery of such incidents in order to facilitate decisions about whether an incident must be disclosed under SEC rules. Companies also need to ensure that the disclosure process for material cybersecurity incidents is fully integrated with the company’s cybersecurity incident response policies and procedures, so there is a clear approach for escalate cybersecurity incidents to the appropriate personnel or the company’s disclosure committee for prompt disclosure decisions. Further, the company should ensure that robust disclosure controls and procedures are in place to identify and assess the actual or potential impact that cybersecurity incidents may have on the company.

A significant part of the response to the SEC’s new cybersecurity disclosure requirements involves revisiting disclosure controls and procedures to make sure that they address the current reporting of material cybersecurity incidents, including the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations, within the four business day deadline contemplated by new Item 1.05 of Form 8-K, as well as any information that was not determined or was unavailable at the time of the initial Form 8 K filing. Many companies had already adopted these types of disclosure controls and procedures in response to the SEC’s 2018 interpretive guidance, but now is a good time to review those controls and procedures in light of the specific requirements in Form 8-K.

In response to the SEC new requirements to disclose cybersecurity risk management, strategy and governance in a company’s annual report, companies should consider the overall approach to the management of cybersecurity risks and the company’s efforts to document that approach in applicable policies, procedures, board committee charters and governance guidelines. Companies may want to consider adopting new policies and procedures (or revise existing ones) to specifically address the roles and responsibilities of management and the board in the management and oversight of cybersecurity risks. Boards also may wish to revise committee charters and/or corporate governance guidelines to clearly articulate the delegation of responsibility for the oversight of cybersecurity matters and to document the interaction between management and the board (or the relevant board committees) on cybersecurity threats and incidents.

We also addressed the impact of developments with generative artificial intelligence (AI) on company policies. As public companies embrace generative AI capabilities, we discussed how they must carefully consider both the opportunities and the risks arising from new technologies and consider the overall governance approach that must be implemented to manage these opportunities and risks. For more on the potential risks associated with generative AI, check out our July-August 2023 issue of The Corporate Executive.

– Dave Lynn