Last week, the SEC took a major step towards enhancing corporate resilience against cyberattacks. The agency proposed a rule requiring publicly traded companies to disclose ransomware attacks, data breaches, and other significant cybersecurity incidents within four days after uncovering them. Annual reports would also have to outline a firm’s policies for identifying and managing cybersecurity risks and disclose whether any member of its board of directors has expertise in cybersecurity.
The proposed rule, which is open to public comment for the next 60 days, does not cover entirely new ground. For years, companies have had to share details with investors concerning incidents and risks they deem to be material. However, the disclosure of information about cybersecurity incidents has been inconsistent. Shareholders have been in the dark whether a company is prepared to manage a cyberattack.
The rule’s benefit for investors is clear. They will be better able to evaluate a company’s ability to prevent or mitigate a cyberattack and decide what risks are worth taking when making investment decisions.
Thankfully, even without the SEC stepping in, boards are gradually realizing that cyber risk is business risk, and any security breach has the potential to significantly disrupt business operations. This rule correctly recognizes that, as digital systems supporting businesses worldwide become increasingly complex, implementing the right policies and having a cybersecurity savvy board are essential to learning what vulnerabilities a company faces and how they can best be mitigated.
Cybersecurity has always been a business risk but more often viewed simply as an IT problem. A global pandemic, nation-state-sponsored threat actors, supply chain and critical infrastructure attacks, and the current geo-political tensions have elevated this issue to the forefront—and the board level.
It is essential that boards fully understand the systemic risks inherent in complex digital systems, and how investment in cybersecurity translates directly into business value. Equally important is considering the full spectrum of data, from leveraging it in business enablement and innovation to the cybersecurity and regulatory risk associated with the data.
Data is the new currency. Grasping the intricacies associated with the complex systems involved in the organization is imperative to drive growth. Boards must appreciate what is at risk across the enterprise, the consequences of failing to safeguard it, and the steps required for protection.
The SEC recognizes this with its proposed rule. By requiring businesses to disclose whether they understand their risks, either through implementing robust cyber policies or a commitment to board cyber expertise, it will meaningfully elevate corporate resilience.