Getting Ready for the SEC’s Proposed Rules on Cybersecurity
Key Takeaways
⇨ In March 2022, the SEC released proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management.
⇨ Experts will need to decide what to share without jeopardizing an investigation and exposing the organization even further to other attacks.
⇨ Companies should prepare a framework to allow them to maintain security while also being compliant.
Learn how to accommodate the potential new rules proposed by the SEC in March of 2020. The National Institute of Standards and Technology (NIST) had released its publication on Integrating Cybersecurity and Enterprise Risk Management (ERM). The intent highlighted there was to help organizations better “identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.” To do so, the report recommended that cybersecurity risks be rolled-up to the wider Enterprise Risk Management program and, as such, be included in the overall decision-making process. NIST suggests using a risk communication channel that is already in use in all organizations: the risk register. Recognizing the importance of cybersecurity as an emerging risk especially due to the increased threat level of cyberattacks and their potential impact on businesses – and not just for the three industries mentioned above, but also estimating that cybersecurity incidents are underreported and, when they are, not in a timely manner, the Securities and Exchange Commission (SEC) had already started raising awareness on this topic and setting expectations.