From Underestimation to Action: How the SEC is Transforming Corporate Cybersecurity Oversight
August 10, 2023
By Daniel Garrie, Jennifer Deutsch and Bradford Newman
Corporate cybersecurity is now a non-negotiable priority. How companies prepare for and defend themselves against cyber intrusions has profound implications for their operations, reputation, and bottom line.
Historically, companies have underestimated the magnitude of cybersecurity risks—and in the view of the Security and Exchange Commission, consistently underreported the material losses caused by cyber intrusions.
Now things have changed. On July 26, the SEC took affirmative steps by adopting rules to ensure public companies aren’t just aware of their cybersecurity risks, but are actively managing them and promptly reporting what in practice will turn out to be the vast majority of incidents.
8-K Item 1.05 mandates companies disclose “material cybersecurity incidents” and “material aspects of the incident’s nature, scope, timing and impact on operations, revenues or stock price. New Regulation S-K Item 106 requires companies to provide detailed disclosures about their cybersecurity risk management, strategy, and governance.
In particular, the SEC now requires companies to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.”
Item 106 also requires companies to “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
To read the full article, go to Bloomberg Law