Are you ready? New Cybersecurity Rules from SEC

Cybersecurity in the Boardroom has been a hot topic for years now. The SEC (Securities and Exchange Commission) will soon announce the results from the proposed rules that were published on March 9th, 2022, to make companies tell investors more about their cybersecurity. This means public companies will have to report any cybersecurity problems they have had and explain how they are working to protect themselves from cyber-attacks.  This may seem like it is already in place considering the new of incidents is fairly common, but this goes a lot deeper than breach notification.

The SEC thinks it is important for investors to know this information because it can affect risk and thus stock price stability. Companies already tell investors about cybersecurity, but the rules are different for each company, which makes it hard for investors to compare them. The SEC wants to make it easier for investors to understand how well companies are protecting themselves from cyber attacks.

The proposed rules had three goals:

  • To tell investors how well a company is managing cybersecurity risks.
  • To tell investors right away if there has been a big cybersecurity problem.
  • To make all companies tell investors the same information, so it is easier to compare them.

The first objective is to inform investors about risk management, strategy, and governance. The proposal requires periodic reporting about cybersecurity policies and procedures. This includes the oversight the board has of cybersecurity risk, and management’s expertise in controlling cybersecurity risk. This information will provide investors with a better understanding of the company’s cybersecurity practices and its ability to manage risks related to cybersecurity.

The second objective is to provide timely notification to investors of material cybersecurity incidents. The proposed amendments require current reporting about material cybersecurity incidents and periodic updates on previous incidents.

The third objective is to standardize the disclosure requirements for public companies. The proposed amendments will require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any. This will provide investors with a consistent and comparable understanding of the board’s expertise in cybersecurity risk management.

NIST offers one common cybersecurity framework

What does this mean?

These new rules have been a long time coming. The SEC wants to make companies tell investors more about their cybersecurity. This will help investors know how well companies are protecting themselves from cyber-attacks. The SEC is making new rules that will make all companies tell investors the same information, so it is easier to compare them.

The bottom line is that public companies will need to elevate cyber-security to a primary risk for the board.  It is expected that all public companies will need a board member with cybersecurity expertise. Although it is unclear what comprises “expertise” it could be extremely significant and akin to Sarbanes Oxley requiring financial expertise.

Do private companies need to comply?

The short answer is, no, because the SEC does not govern private companies. However, the underlying cyber-risk management that the SEC is mandating is extremely valid for private companies as well. The bottom line is that all companies need to pay attention to cybersecurity at the top levels. There are many resources available to smaller companies to find board level experts on cybersecurity. Digital Directors Network has a solid certification program developing systemic risk and cybersecurity governance. In today’s world, no board should be operating without cybersecurity in the boardroom.


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Verified by MonsterInsights