“While this is an oversimplification of all of the requirements and nuances of the forthcoming SEC rules, the SEC’s objectives are to require companies to provide meaningful and actionable information to shareholders to better understand companies’ cyber risks and how companies are managing and responding to them. From a very high level, this can be broken down into two categories of what they are wanting to see companies disclose information about: proactive cyber risk governance and risk management, and reactive incident response and reporting.”
The quote above is one I provided to SecureWorld for its article SEC to Put More Onus on Corporate Boards for Cybersecurity as it is my view of what the SEC is really trying to do with all of this — they want to make sure that investors have the best information possible about companies’ risks to better inform their investing decisions. This is a good thing. The by-product of this is that by forcing companies to do many of these things, those companies’ cybersecurity will be improved. This is a good thing.
Will there be some negatives? Of course — there will be — but we will have to work through those and hopefully the positive will outweigh the negative.
Read more of my thoughts, as well as others, on this issue in the full SecureWorld article: SEC to Put More Onus on Corporate Boards for Cybersecurity
Also check out this article I wrote for Ethical Boardroom that emphasizes the need for CISOs to have a seat at the grown ups table — that is — a direct line of communication to the Board: A Lesson in Humility from the FireEye and SolarWinds Cyber Attack
Finally, check out my post from back in 2022 about this issue with the SEC: Is This the Next Evolution of Cyber Risk Governance? The SEC Is About To Force CISOs Into America’s Boardrooms