Anti-Corruption & Compliance Blog

In previous posts on the Porter Hedges Anti-Corruption & Compliance Blog, our team has discussed the U.S. Securities and Exchange Commission’s (“SEC”) proposal to amend its rules and require disclosures related to cybersecurity practices. The SEC wants to enhance and standardize the disclosures companies must report about their risk management, strategy, and governance. Among other proposals, the SEC has proposed to make additions to Regulation S-K and Form 20-F, which would require companies to describe their policies and procedures that aim to identify and manage cybersecurity threats.

The SEC’s proposed requirements include disclosure of whether a company considers cybersecurity as part of the company’s business strategy, financial planning, and capital allocation. These requirements would also require disclosure about any oversight of risks and disclosure about leadership’s role and experience in identifying and managing cybersecurity threats. Additionally, the SEC’s proposed requirements would request disclosure about how the company’s leadership implements company guidelines and strategies to combat cyber-attacks.

The Cybersecurity & Infrastructure Security Agency (“CISA”) and the National Cybersecurity Alliance (“NCA”) co-lead Cybersecurity Awareness Month to create resources for organizations to manage and maintain online safety. Following the NCA’s risk management practices will help your company maintain policies and procedures that identify, manage, and avoid cyber intrusions. The National Institute of Standards and Technology’s Cybersecurity Framework additionally provides a methodology to support your company’s cybersecurity efforts. These resources can help your company defend against and recover from cybersecurity incidents and remain proactive about compliance with federal securities law changes.

This year, the NCA focuses on four risk management practices: multi-factor authentication; strong passwords and password managers; software updates; and recognizing and reporting phishing. Below are brief descriptions of how your business can incorporate these risk management practices into your company’s business strategy.

• Two-step Verification: Most companies refer to this verification as multi-factor authentication (“MFA”). MFA requires one additional step, such as a PIN, security question, or biometric, to gain access to a company account. MFA is typically used for accounts that possess financial or personal information. However, the NCA recommends companies use MFA on all accounts. Increase your security measures to protect your accounts and add a MFA process.
• Strong Passwords and Password Managers: The NCA recommends companies use long, uncommon, and complex passwords to defend against unauthorized access and data breaches. Because it is difficult for users and companies to manage multiple, complex passwords, companies should use password managers to store all passwords in one safe, encrypted place for their users. Keep your accounts more secure and implement password managers.
• Software Updates: Companies should implement software updates often. Software updates will provide additional security against cyber-criminals. The NCA states that companies should only download software updates directly from the source to avoid malware, fake update alerts, and other cybersecurity concerns. Continue to keep your accounts secure with legitimate and automatic software updates.
• Recognizing and Reporting Phishing: Cyber-criminals use fake emails to trick companies into sharing private information or installing malware on the company’s devices. Your company should provide account users with tips to identify phishing emails and establish an immediate reporting procedure with your IT department. The NCA explains how to recognize phishing, block a sender, and report phishing on different email platforms.

Incorporating these risk management practices into your business strategy will align your business with the government’s proposed best security practices. Most importantly, your company can strengthen its defenses against data breaches and hackers.