Natalia Chi
Image: Lockhaven logo
From a regulatory perspective, many industries have lived in the land of milk and honey as computer programs have largely been driven by voluntary measures. However, the regulator’s patience has run out with the public-private partnership/voluntary measures approach, and as a result, cybersecurity regulation is on the way.
Under SEC rules expected to be finalized within months, publicly traded companies that determine that a cyber incident has become “material” (and could significantly impact the business) must disclose the details to the SEC and investors within 4 business days.
James Dever Esq., Principal of Lockhaven Solutions
We know change is coming nationally as Biden’s upcoming cyber strategy heavily considers regulation as a means to achieve greater consistency in national approach. But what about individual regulators? Well, some of them are certainly not sitting idly by, especially the Securities and Exchange Commission (and the New York Department of Financial Services).
Reporting and accountability are the two biggest changes coming. Under SEC rules expected to be finalized within months, publicly traded companies that determine that a cyber incident has become “material” (and could significantly impact the business) must disclose the details to the SEC and investors within 4 business days. That requirement also applies when “a series of previously unknown and individually intangible computer security incidents has become material in the aggregate.”
SEC rules will also require the boards of those companies to disclose significant information about their security governance, such as how and when it oversees cyber risks. Such information includes identification of who on the board (or which subcommittee) is responsible for cybersecurity and related responsibilities. The information requested will also include how often and by what processes board members are briefed on and discuss cyber risk.
James Dever Esq., Principal at Lockhaven Solutions, says increased burden on boards will help ensure cyber programs are addressed like other business risks, “Cybersecurity is a strategy, not a technical solution,” says Dever, “the change in approach driven by this regulation will finally help align risk with strategy, something that has been sorely lacking in industries attempting to address cyber risk simply by employing increasingly costly technical solutions.” Dever added, “Moreover, this will help improve accountability to shareholders, a problem sorely lacking in the IT environment.”
Beyond increased reporting and accountability, what is the practical “so what” of these regulators getting more involved in the cyber space? These regulators can also enforce enforcement actions and levy massive fines, which, in the world of financial crime, run into the hundreds of millions of dollars.
Safe to say that things are changing and companies need to address these new requirements as soon as possible as more regulators will likely follow the lead of the SEC and NYDFS in 2023.
