Professional and corporate law circles are abound with discussions on the recent alterations made by the Securities and Exchange Commission (SEC) to how public companies disclose their management and handling of cybersecurity risks and incidents. These rules, which heavily emphasize the need for transparency and responsibility, reference the standards set in the Securities Exchange Act of 1934. Their broad implications extend even to private companies, suggesting a widespread need to closely evaluate internal controls relating to cybersecurity risks.
The updated offerings by the SEC call for the enhancement and consistent dissemination of information surrounding companies’ cybersecurity risk management strategies and governance. These revisions stem from an awareness of the alarming regularity of cybersecurity incidents in today’s digital landscape. It is worth noting that the applicability of these rules extends beyond the public companies directly affected, as they signal actionable insights for private companies as well. Further, the heightened attention towards accountability in particular signals a move towards greater regulatory scrutiny and enforcements, a topic discussed at length by Blank Rome LLP.
While these new risk management and incident disclosure requirements for public companies are constructed around SEC’s regulatory mandate, they also align with a broader, global trend towards improved settings for corporate transparency, accountability, and data privacy. And though designed with public companies in mind, they may well serve to indicate the future pathways and expectations for private companies as well.
Reflecting on these developments, both public and private companies face the challenge to enhance their cybersecurity risk management practices. It is increasingly crucial for businesses at all levels to reimagine their cybersecurity strategies, to maintain sound internal controls, and to practice prompt and transparent disclosure, all the while remaining vigilant against an ever-evolving cyber risk environment.