An Update on the State of the U.S. Securities and Exchange Commission’s Approach to Cyber Risk
In brief: NACD, SecurityScorecard, and the Cyber Threat Alliance presents An Update on the State of the SEC’s Approach to Cyber Risk. This report examines the U.S. Securities and Exchange Commission’s (SEC) recently proposed ;rules and amendments on cybersecurity reporting requirements for public companies. The report concludes that the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds, and advisors to combat cybersecurity threats and implement risk mitigation processes.
Highlights of the report include:
- the SEC’s increased commitment to cybersecurity, holding more companies accountable, not just for egregious cyber-related violations, but also for misleading public statements about cybersecurity risks and events.
- discussion of recent cases in which the SEC took action as organizations failed to file suspicious activity reports (SARS) and disclosures, or provided misleading statements related to a cyberattack. These cases underscore the importance of classifying, escalating and reporting actual or suspected incidents to senior company leaders who are responsible for public-facing statements and regulatory reporting obligations.
- Investigation of other emerging regulatory scrutiny around third- and fourth-party risks and their disclosure.
Note: This report follows the March 2021, “State of Cyber-Risk Disclosures of Public Companies.”
How to use:
- Review corporate, management, and board cyber-risk management and oversight practices against SEC expectations
- Advance engagement with legal, compliance, and technology leadership to get ahead of regulatory demands
- Understand the scope of the current regulatory agenda
Most relevant audiences: corporate boards, audit committee chairs, audit committee members, risk committee chair, risk committee members, chief information security officers, chief information officers, general counsel, investor relations