{ "@context": "https://schema.org", "@type": "NewsArticle", "headline": "Are the SEC’s New Cybersecurity Rules Coming Too Late?", "image":"https://www.intelligize.com/wp-content/uploads/2023/04/butterfly-chrysalis_1920.jpg", "datePublished": "2023-04-25", "description":"Cybersecurity threatens national security, but are government efforts to get corporations to strengthen cybersecurity programs truly necessary? Learn more.", "keywords":"corporate governance, cybersecturity, cybersecurity programs, sec, ruelmaking", "potentialAction":"Request A Demo", "publisher": [{ "@type": "Organization", "name": "Intelligize", "url":"https://www.intelligize.com/" }], "author": [{ "@type": "Person", "name": "Miriam Robin", "jobTitle":"Curation Editor, Legal News", "worksFor":"LexisNexis", "sameAs": "https://www.linkedin.com/in/miriam-r-2665273/" }] }

Are the SEC’s New Cybersecurity Rules Coming Too Late?

The phrase “fighting the last war” often comes to mind when discussing the federal government’s rulemaking process. It’s a familiar cycle: Something emerges as a problem that catches companies unprepared, and regulators begin the iterative slog of drafting rules, soliciting comments from the public on their proposals and re-drafting new versions in response to the feedback. Meanwhile, if the issue that triggered the rulemaking poses a big enough problem for companies, they’ve likely taken steps to address it well in advance of any final regulatory guidance.

The Securities and Exchange Commission seems to be playing a game of catch-up now as it seeks to modernize cybersecurity rules. The project started in earnest last year in response to national security risks, such as cyber threats against information technology networks and fuel pipelines. The effort produced a package of proposed measures from the SEC designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.”

The proposed rules focused on disclosing material cybersecurity incidents – think ransomware attacks and data breaches – in a timely manner, as well as guidelines for providing updates on previously disclosed events. Additionally, the SEC called for “enhanced and standardized disclosure on registrants’ cybersecurity risk management, strategy and governance.” For example, how do the directors on issuers’ boards factor into companies’ cybersecurity strategies?

In all fairness, the rise in cybersecurity threats is a national security issue when public infrastructure is put at risk. Not to mention, we could broaden our definition of infrastructure substantially when we consider the ubiquity of commercial products such as cell phones in our daily lives. Investors also benefit from more transparency when it comes to all aspects of corporate risk management, cybersecurity included.

So, any efforts by the government to prod major corporations into beefing up their cybersecurity programs should be considered well-intentioned. But are they necessary?

There is evidence to suggest that issuers already grasp the potential for ruinous outcomes from cyber threats. For example, a Wall Street Journal survey released in March found that more than three-quarters of corporate boards already have at least one member who is well-versed in cybersecurity. The role of chief information security officer generally carries more weight in corporate governance strategy now than in the past, especially in the eyes of board members.

And don’t forget that corporations answer to sophisticated institutional investors. Fall short on matters of risk management and the people in C-suites risk stockholder-led revolts.

In other words, new cybersecurity regulations may not produce much in the way of clear, direct benefits to companies themselves and our national security against cyber threats. But if the new rules serve as constant reminders to companies of their responsibilities to stakeholders and the importance of cybersecurity in a broad sense, they are worth the effort.

Latest Articles

Frustrations Mount Over Differing Climate Disclosure Rules

The long slog to implementing sustainability-related disclosure rules for companies in the United States reached something of a conclusion last month. While issuers are coming to t...

Read More

Study: Women Lose Ground in C-Suite for First Time in Two Decades

In what researchers say could represent an “alarming turning point,” the number of women holding executive corporate leadership roles is now declining, according to a study publish...

Read More

Trump’s Loose Lips Risk Running Afoul of SEC

Restraint has never been Donald Trump’s strong suit. The former President seemingly lashes out at any perceived slight within earshot, leading to countless public feuds with everyo...

Read More