in

Cyber Risk Management Chronicles, Episode VII – Cyber Fundamentals: Ready or Not, Here it Comes! | Chicago Popular

Advertisements
Lockhaven Solutions logo

Image: Lockhaven logo

From a regulatory perspective, many industries have lived in the land of milk and honey as computer programs have largely been driven by voluntary measures. However, the regulator’s patience has run out with the public-private partnership/voluntary measures approach, and as a result, cybersecurity regulation is on the way.

Under SEC rules expected to be finalized within months, publicly traded companies that determine that a cyber incident has become “material” (and could significantly impact the business) must disclose the details to the SEC and investors within 4 business days.

James Dever Esq., Principal of Lockhaven Solutions

We know change is coming nationally as Biden’s upcoming cyber strategy heavily considers regulation as a means to achieve greater consistency in national approach. But what about individual regulators? Well, some of them are certainly not sitting idly by, especially the Securities and Exchange Commission (and the New York Department of Financial Services).

Reporting and accountability are the two biggest changes coming. Under SEC rules expected to be finalized within months, publicly traded companies that determine that a cyber incident has become “material” (and could significantly impact the business) must disclose the details to the SEC and investors within 4 business days. That requirement also applies when “a series of previously unknown and individually intangible computer security incidents has become material in the aggregate.”

SEC rules will also require the boards of those companies to disclose significant information about their security governance, such as how and when it oversees cyber risks. Such information includes identification of who on the board (or which subcommittee) is responsible for cybersecurity and related responsibilities. The information requested will also include how often and by what processes board members are briefed on and discuss cyber risk.

James Dever Esq., Principal at Lockhaven Solutions, says increased burden on boards will help ensure cyber programs are addressed like other business risks, “Cybersecurity is a strategy, not a technical solution,” says Dever, “the change in approach driven by this regulation will finally help align risk with strategy, something that has been sorely lacking in industries attempting to address cyber risk simply by employing increasingly costly technical solutions.” Dever added, “Moreover, this will help improve accountability to shareholders, a problem sorely lacking in the IT environment.”

Beyond increased reporting and accountability, what is the practical “so what” of these regulators getting more involved in the cyber space? These regulators can also enforce enforcement actions and levy massive fines, which, in the world of financial crime, run into the hundreds of millions of dollars.

Safe to say that things are changing and companies need to address these new requirements as soon as possible as more regulators will likely follow the lead of the SEC and NYDFS in 2023.

Advertisements
Advertisements

What do you think?

Written by Natalia Chi

Chicago Popular; Chicago breaking news, weather and live video. Covering local politics, health, traffic and sports for Chicago, the suburbs and northwest Indiana.

Leave a Reply

A Tour Around Beijing for A Happy Chinese New Year|2023 Overseas “Happy Chinese New Year” Online Gala Invites International Friends to Come Around

Fall Out Boy To Play Homecoming Show At Metro