Anti-Corruption & Compliance Blog

According to the Cybersecurity & Infrastructure Security Agency, cybersecurity is the process whereby information and communications systems, and the information contained in those systems, are protected from and/or defended against damage, unauthorized use or modification, or exploitation. As noted by the U.S. Securities and Exchange Commission (“SEC”) in 2018, in a world more and more interconnected digitally, cybersecurity presents ongoing risks to companies operating in all industries, including public companies regulated by the SEC.

Federal securities laws are designed to provoke disclosure of information about risks and events that a reasonable investor would consider important to an investment decision. Cybersecurity presents an ever-growing area of risk to all types of business, and therefore must be considered with regard to public disclosures.

As we noted in the Porter Hedges Anti-Corruption & Compliance blog post in May, the SEC is seeking to require additional disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed new rules will require current reporting about material cybersecurity incidents on a Form 8-K within four days after the determination that the incident is material and will require periodic disclosures about the company’s:

• policies and procedures to manage cybersecurity risks;
• management’s role in implementing cybersecurity policies and procedures;
• the cybersecurity expertise of the board of directors, if any, and its oversight of cybersecurity risk; and
• updates to previously reported material cybersecurity incidents.

These new rules are intended provide investors with more and timely disclosures about material cybersecurity incidents and previously-undisclosed immaterial incidents that become material in the aggregate. Given the short, four-day disclosure requirement, companies must be prepared for the rapid investigation of incidents and ensure an effective and efficient reporting procedure to timely comply with the rules.

But in addition to this increased incident reporting, these new rules will require regular disclosure about a company’s risk management, strategy, and governance in the realm of cybersecurity overall. What should your company consider in light of the governance aspect of these new rules?

First, public companies should review their risk management policies and procedures to ensure that fulsome cybersecurity risk management is included and up to date given the rapidly evolving nature of the risk. Second, companies must also consider the role of the board of directors. The Board, or a Board committee, should have formal oversight of cybersecurity management. And third, companies must consider the appropriateness, given the individual nature of business and level of exposure, of adding cybersecurity expertise to the Board.