Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Post

Summation of SEC Cybersecurity impacts on Public Companies

image credit: U.S. SEC
Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,540 items added with 672,260 views
  • Apr 15, 2022
  • 318 views

This article from SEC Chair Gary Gensler contains some valuable insights into how public companies should consider preparing for SEC changes with regard to cybersecurity requirements. Here is a short excerpt from Secretary Gensler's guidance:

Team Cyber

Adopting a heightened posture is a task that requires all of us. Last year, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said that “cybersecurity is a team sport.” “Each and every one of us are a member of Team Cyber,” she said.[4]

Folks from the private sector—the folks that many of you in the audience represent—are on Team Cyber’s front lines.

Policy

Given the SEC’s mission, and the evolving cybersecurity risk landscape, when considering work at the SEC, I think about it in three ways:

  • cyber hygiene and preparedness;
  • cyber incident reporting to the government; and
  • in certain circumstances, disclosure to the public.

Public Companies

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.

To this end, in March, the Commission proposed rules that would enhance issuers’ cybersecurity disclosures in two key ways.[12]

First, it would require mandatory, ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks. This would allow investors to assess these risks more effectively. For example, under the proposed rules, companies would disclose information such as:

Second, we proposed requiring mandatory, material cybersecurity incident reporting, because such material cybersecurity incidents could affect investors’ decision-making

Discussions
Matt Chester's picture
Matt Chester on Apr 15, 2022
  • in certain circumstances, disclosure to the public.

.

I imagine this is a tough one for utilities who want to avoid any panic for an issue they feel is under control

Richard Brooks's picture
Richard Brooks on Apr 20, 2022

Good point Matt. I think people are still trying to digest what the new cybersecurity law means and are wondering how many regulators they'll have to answer to on cybersecurity practices. Very chaotic at the moment.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »