In response to increasingly sophisticated cyber threats and data leaks, the Securities and Exchange Commission has taken a pivotal step in enhancing corporate accountability through its new cybersecurity incident disclosure requirements.
Recent enforcement actions, such as the case against SolarWinds Corporation’s chief information security officer (CISO), underscore how seriously the SEC takes timely and accurate disclosure of cybersecurity incidents.
This move highlights a shift in the landscape of corporate governance, particularly in the realm of digital security. And, critically, these developments are reshaping the roles of IT leaders, who must now navigate a complex landscape of technological challenges and regulatory compliance.
The SEC’s New Cybersecurity Disclosure Requirements
The new regulations, including amendments to Regulation S-K Item 106, require prompt reporting of cyber incidents and clear annual disclosures about cybersecurity strategies and risk management, aiming to provide investors with a transparent view of cybersecurity risks.
Under the new requirements, IT leaders must report significant cyber incidents within four business days. They also must detail their cybersecurity risk management strategy in annual reports that outline corporate governance policies of cybersecurity risks.
In practice, this means:
-
IT leaders must be making appropriate disclosures
-
They must also have in place the appropriate controls and procedures to escalate items and determine when and where disclosures are required
These requirements place a huge burden of responsibility on all corporate leadership, but especially on the CISO and/or the chief technology officer (CTO).