An Update on the State of the U.S. Securities and Exchange Commission’s Approach to Cyber Risk

In brief: NACD, Security Scorecard, and the Cyber Threat Alliance presents An Update on the State of the SEC’s Approach to Cyber Risk. This report examines the U.S. Securities and Exchange Commission’s (SEC) recently proposed ;rules and amendments on cybersecurity reporting requirements for public companies. The report concludes that the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds, and advisors to combat cybersecurity threats and implement risk mitigation processes.

Highlights of the report include:

• the SEC’s increased commitment to cybersecurity, holding more companies accountable, not just for egregious cyber-related violations, but also for misleading public statements about cybersecurity risks and events.
• discussion of recent cases in which the SEC took action as organizations failed to file suspicious activity reports (SARS) and disclosures, or provided misleading statements related to a cyberattack. These cases underscore the importance of classifying, escalating and reporting actual or suspected incidents to senior company leaders who are responsible for public-facing statements and regulatory reporting obligations.
• Investigation of other emerging regulatory scrutiny around third- and fourth-party risks and their disclosure.