In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices.
You’ll hear him discuss:
- The SEC’s adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
- One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality.
- This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
- Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
- Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
- The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.
KEY QUOTES:
“You can’t just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” – Michael Volkov
“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” – Michael Vokov
“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” – Michael Volkov
Resources