In March 2022, the Securities and Exchange Commission proposed new rules on cybersecurity risk management, strategy governance and incident disclosure by public companies, but those proposed rules have not yet been officially adopted.
Recent data breaches at Twitter (which exposed information about over 200 million of its users), LastPass (where hackers gained access to its password database), Uber (where a cyber attack on a third-party vendor compromised the personal information of 77,000 of its employees) and others has elevated cybersecurity as a major issue facing corporate boards in 2023.
Since new cybersecurity rules will likely be approved this year, boards should be preparing to meet any new requirements that may result.
The proposed SEC amendments would require:
• Current reporting of material cybersecurity incidents,
• Periodic reporting and updates about previously reported cybersecurity incidents,
• Annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise.
Additionally, the new rules would require “periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.”
Some questions corporate boards should consider:
What type of systems and procedures do we currently have in place to detect cyber incursions? How does what we have in place compare to our peers? Have we considered implementing the current recommendations of cybersecurity industry leaders?
Honest answers to these questions will go a long way toward preparing the company to meet some of the disclosure requirements of the proposed new rules on cybersecurity risk. Making an honest assessment of the company’s cybersecurity defenses is an excellent way to determine the level of risk the company must manage. Such a process can provide valuable information that can be presented to shareholders and regulators to satisfy disclosure rules or as favorable evidence in the case of a lawsuit.
Boards should be willing to expose cyber vulnerabilities and aggressively pursue good-faith efforts to address those problems to protect the company from the operational delays, financial losses and reputational harm that data breaches and cybersecurity incidents can cause. This includes making technology and software upgrades, hiring consultants to test for vulnerabilities and requiring employees undergo cybersecurity training where appropriate. Taking such measures will help board members and the company present a better defense if shareholders file lawsuits based on cybersecurity incidents.
Does the board have enough cybersecurity expertise for the company in its current position and for its future growth?
Since the proposed new cybersecurity rules will likely require boards to report on the board’s level of cybersecurity expertise it is an issue that must be revisited this year. If the board is lacking in cybersecurity expertise it could be argued that the company’s assessment of cybersecurity risk could be flawed. Adding a board member with cybersecurity expertise may be a solution. Boards may also want to detail how an internal committee of company executives works with the board to handle cybersecurity risks and keep management informed.
Has the board and management considered how it will handle the cybersecurity risks involved with third-party vendors and suppliers?
Cybersecurity risks involving third parties are often overlooked. Cybersecurity incidents are not going away, and smaller, third-party vendors often don’t have the resources to defend themselves against cyber-attacks like larger companies might. A detailed risk assessment of how company information and systems could be impacted by third parties is a necessity for all businesses because if a key third-party vendor is crippled by a cyber-attack, it could grind your company’s production to a halt. Boards will have to find solutions that could include requiring third-party vendors to adopt certain cybersecurity systems and protocols in order to continue partnering with the company. Shifting to third-party vendors with more secure systems is also an option. Meeting with all third-party vendors to assess their cybersecurity risk is fast becoming a necessary part of doing business.