After over a year of deliberations, the US SEC has finally adopted the proposed rules for enhanced cyber disclosures.
In a recent post by Diligent, the company provided an outlook at what is next for FinTech after the adoption of new SEC cyber rules.
These rules are crafted to provide investors with a deeper understanding of public companies’ risk management, strategy, and governance. Additionally, they aim to guarantee that investors are promptly informed of incidents that could significantly impact the business.
The new regulations stipulate a series of mandates. A written description of an organisation’s approach to identifying and managing material risks from cybersecurity threats is a requirement. Also, companies must disclose cybersecurity incidents that have material implications, either individually or in aggregation with other cyber incidents, within four days. Furthermore, organisations are required to report what steps their management is taking to implement security procedures and play an oversight role. Consequently, there is no time for delay; companies must transform their cybersecurity plans into practical actions, while enhancing their disclosure and oversight mechanisms.
The SEC’s final rules will become effective 30 days after being published in the Federal Register. So, what immediate and future actions should boards consider? How can directors enhance their cyber-savviness, and what should they know for the future?
“Boards, CEOs, and CFOs should review these disclosures to ensure their accuracy and the efficacy of the operational processes around risk management,” Barbara Berlin, managing director of PwC’s Governance Insights Center, mentioned during an episode of Inside America’s Boardrooms.
The new regulations categorise disclosures into three segments: cybersecurity incidents/overall strategy, risk management, and governance. The latter encompasses risk assessment processes, threat detection and information protection strategies, business continuity, and recovery plans, among others.
Directors will need to adapt not only to the new level of disclosure but also to the fresh processes. Disclosures on strategy, risk management, and governance will now be a part of a 10K instead of the previously expected proxy statement. “This is a significant shift,” Berlin observed.
Boards can augment their cyber knowledge and preparedness by engaging external experts for board briefings, mandating external cybersecurity courses and credentials for directors, and assessing their existing knowledge base. They should also ensure regular communications with top technology leaders and assessments of the organisation’s cyber programmes. Understanding cyber risks is critical for business strategy, financial planning, and capital allocation processes.
Chief technology, information security, and information officers must also acquaint themselves with the new SEC regulations and ensure compliance. With the shortened timeline for disclosing material cyber incidents, they need to ensure cyber reporting is incorporated into controls and procedures for disclosures. They also need to clearly understand when a situation warrants board notification.
Making cyber risk part of the auditing process is a smart move, according to Bob Ackerman, managing director and founder of AllegisCyber Capital. He argues that cyber risk should be included as part of how the industry and regulators measure and analyse systemic risk for every company.
CTOs, CISO, and CIOs play a crucial role in ensuring a comprehensive cybersecurity program. They should administer cyber training for all employees, evaluate systems through third-party cyber penetration testing firms, upgrade security and backup systems as needed, supplement internal monitoring efforts with external managed services providers, and continuously monitor cyber activity in real time.
Read the full post here.
Copyright © 2023 RegTech Analyst
Copyright © 2018 RegTech Analyst