REA concurs with this prudent advice to help companies navigate the paradigm shift in cybersecurity. (click Read More below). Watch out for those CISA KEV cyber-icebergs in your path, they can ruin your day.
- The SEC is Prioritizing Cybersecurity Enforcement: While many might think of insider trading or securities fraud as the usual purview of the SEC, the recent charges and the new cybersecurity rules highlight that the SEC is making cybersecurity a regulatory and enforcement priority. Companies should carefully evaluate their cybersecurity resourcing and governance to reflect this heightened focus. This should include prioritizing executive and board awareness of industry standard cybersecurity practices, consciously evaluating and documenting resourcing requirements and decisions, and adopting appropriate processes for evaluating and, if appropriate, disclosing cyber events and deficiencies.
- Accurate Disclosure is Key: Companies may do well to continuously assess their risk disclosure practices and consciously account for past, material incidents and material vulnerabilities as they do so. Perhaps the most challenging aspect will be understanding the thresholds for considering events and vulnerabilities for inclusion in SEC reporting and the SEC’s latest action highlights the value of having defensible processes to support disclosure determinations.
- Individual Executives Should Be Cognizant of their Responsibilities: Individual executives and directors, especially those in management positions with oversight of cybersecurity matters, may have legal obligations to respond to, address, assess, and disclose certain cybersecurity-related events and vulnerabilities. They should seek to establish and maintain frameworks designed to promote the reporting up of cyber incidents so that executives and other responsible individuals can be responsive to cybersecurity issues and the company can comply with its disclosure obligations.
- Mind Your Internal Controls: As the SolarWinds complaint makes clear, it is imperative that companies attend to internal controls. There is a broadening awareness of market standard security practices that are an increasing expectation of regulators, customers, and the markets. It will be prudent to develop structured mechanisms for assessing and elevating issues pertaining to such controls for the awareness and decision-making of responsible management.
The key theme underlying all of these points is the value in companies’ assessing how to support leadership with sufficient procedures to normalize incident and vulnerability assessment and merge those procedures with SEC reporting processes. The latest SEC action is likely to drive a focus on these priorities in the coming term.
I hope you can join us for this Energy Central PowerSession on December 14 where an esteemed and knowledgeable group of panelists from across business domains will provide their insights to help companies prepare for the SEC Cybersecurity Regulations