SEC Cracks the Whip: Cybersecurity Now a Boardroom Migraine, Not Just an IT Headache!

Welcome to the era of SEC Cybersecurity Disclosure Rules! Forget hide-and-seek, any ‘material’ cybersecurity slip-ups need to hit the headlines within four business days. Prepare to spill the beans or face the SEC’s wrath, just like SolarWinds Corp. With the deadline fast approaching, it’s time to make cybersecurity a boardroom buzzword.

Hot Take:

Well, if you thought cybersecurity was just a pesky chore for the IT department, the SEC is here to change your tune with a side of public humiliation. With new rules requiring public companies to spill the beans about their cybersecurity incidents, and the recent assault on SolarWinds Corp., the message is clear: Cybersecurity isn’t just an IT headache, it’s a full-blown boardroom migraine! Buckle up, because the deadlines for these tell-all disclosures are right around the corner.

Key Points:

  • The SEC has adopted rules requiring public companies to disclose material cybersecurity incidents and their risk management strategies.
  • SolarWinds and its CISO face charges from the SEC for alleged fraud and internal control failures related to cybersecurity risks.
  • Companies must create effective disclosure controls and procedures to report on material cybersecurity incidents within a specified timeframe.
  • Companies need to adjust their internal control over financial reporting and fine-tune their cybersecurity risk management process and strategy.
  • The board of directors and the management’s role in assessing and managing cybersecurity threats must be disclosed in the company’s annual report.

Need to know more?

Time to Stop Playing Hide and Seek

The new SEC rules mean playing hide and seek with your cybersecurity incidents is no longer an option. If a cybersecurity incident is 'material', it must be disclosed within four business days after the company makes this determination. And for those thinking they can sneak by unnoticed, be warned: the SEC is not in a forgiving mood. Just ask SolarWinds Corp. and its CISO, who face charges for overstating their cybersecurity practices and understating known risks.

Check Your Calendar, The Clock is Ticking

The deadlines for these new disclosures are fast approaching. Starting from December 18, 2023, all companies (except smaller reporting companies) must comply with the new incident disclosure requirements. So, better start dusting off those incident logs and get ready to make some public confessions!

Shake Up Your Boardroom

Cybersecurity isn't just an issue for your IT team to lose sleep over. It's a boardroom issue that requires the attention of your company's officers and directors. Companies need to re-evaluate their governance related to cybersecurity matters and start developing templates for cybersecurity disclosures. If you thought those board meetings were long before, just wait until cybersecurity risk management is on the agenda!

Don’t Sugarcoat It

When it comes to disclosing your cybersecurity incidents and risk management processes, honesty is the best policy. The SEC isn't interested in sugar-coated versions of your company’s cybersecurity profile. It’s time to get real about your vulnerabilities and stop misleading investors with generic and hypothetical risks.

Manage Your Supply Chain Cybersecurity Risk

Remember, cybersecurity doesn't stop at your company's front door. You need to ensure your suppliers and partners are also up to scratch when it comes to their cybersecurity practices. With the new SEC rules, it's time to revisit your processes for managing supply chain cybersecurity risk.