The SEC's involvement in cybersecurity dates back to its foundational mission of protecting investors and maintaining market integrity. Key historical developments include:
2011: The SEC issued initial guidance to public companies, emphasizing the importance of disclosing material cybersecurity risks and incidents.
2014: Regulation S-ID (Identity Theft Red Flags Rule) became applicable to certain financial institutions and creditors, requiring them to implement identity theft prevention programs.
2018: The SEC released updated guidance reinforcing the need to accurately disclose cyber incidents and risks, emphasizing board oversight and timely reporting.
Companies must disclose their policies and procedures for identifying and managing cybersecurity risks in their annual reports (Form 10-K). Disclosures must specifically mention whether the company has a cybersecurity risk assessment program and how cyber risks are integrated into the company’s overall risk management strategy. This step includes detailing the company’s approach to mitigating cyber risks (e.g., business continuity plans, third-party management) and how previous cyber incidents have influenced cybersecurity policies and procedures.
The recently proposed rules require companies to provide detailed disclosures on board oversight of cybersecurity risk and management’s role in implementing cybersecurity policies.
Requirements for Board Oversight include identifying any board members or committees responsible for overseeing cybersecurity risks. Organizations must also provide information on the board’s role in cybersecurity governance and outline the frequency of board discussions on cybersecurity matters.
Disclosures about management include identifying which members are responsible for managing cybersecurity risks and describing management’s role in implementing cybersecurity policies, procedures, and strategies. Organizations must also explain how management assesses and reports cybersecurity risks to the Board.
Learn More: The CyberSaint Guide to Reporting Cybersecurity to the Board using the SEC Rules.
Copyright © 2024 CyberSaint Security. All Rights Reserved. Privacy Policy.