Categories
Corruption, Crime and Compliance

SEC Adopts Robust New Cybersecurity Disclosure Rules

In this episode of Corruption, Crime and Compliance, Michael Volkov delves into the SEC’s groundbreaking adoption of robust cybersecurity disclosure rules. This pivotal change marks a significant shift in the compliance landscape, requiring public companies to not only disclose cybersecurity incidents but also unveil their governance policies and practices. 

You’ll hear him discuss:

  • The SEC’s adoption of new cybersecurity disclosure rules, a process spanning over a year, comes as a transformative step in the regulatory landscape.
  • One of the most noteworthy changes is the requirement for companies to file Form 8-K to disclose material cybersecurity incidents within four business days of determining materiality. 
  • This significant change allows for a more measured assessment of materiality before disclosure, a departure from the previous trigger of four days from becoming aware of the incident.
  • Alongside incident disclosure, the new rules mandate that all public companies include comprehensive cybersecurity risk management and governance disclosures in their annual Form 10-K filings. This move underscores the necessity for companies to integrate cybersecurity into their broader enterprise risk management processes.
  • Companies are required to disclose the board committees or subcommittees responsible for cybersecurity oversight, outlining their processes for monitoring cybersecurity risks and reporting incidents.
  • The reach of these rules extends to third-party information systems, including those of vendors and suppliers. This amplifies the importance of thorough due diligence in assessing the information security systems and risks of external partners.

 

KEY QUOTES:

“You can’t just sit on an incident and not make a determination, analyze it, and delay, delay as a way to avoid that materiality determination.” – Michael Volkov

 

“The SEC expects companies to analyze qualitative factors when assessing materiality, including harm to reputation, customer and vendor supply relationships, and the impact of regulatory actions and civil litigation.” – Michael Vokov

 

“Additionally, companies have to go even more comprehensive in their disclosures to …describe management procedures and practices for assessing and mitigating cybersecurity risks.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
The Ethics Experts

Episode 157 – Erica Salmon Byrne, J.D.

In this episode of The Ethics Experts, Nick welcomes Erica Salmon Byrne, J.D.
Erica Salmon Byrne is the CEO for Ethisphere, where she is responsible for ensuring strong growth for the company while maintaining Ethisphere’s founding ethos that good businesses do better. Ms. Salmon Byrne also serves as the Chair of the Business Ethics Leadership Alliance; she works with the BELA community to advance the dialogue around ethics and governance and deliver practical guidance to ethics and compliance practitioners around the globe.

https://www.linkedin.com/in/ericasalmonbyrne