The growing concern around cyberthreats for companies across the nation is reflected in the increasingly crowded legislative landscape that provides guidance to organizations, employers, employees, consumers, and investors. As part of that landscape, enterprises — both public and private — operate under an unprecedented level of scrutiny. Last month, new SEC requirements went into effect for public enterprises. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rule”). The Rule not only requires public enterprises to report cyber breaches within only four days, but it also requires annual disclosure of material information regarding cybersecurity risk management, strategy, and governance and other periodic disclosures about the enterprise’s processes for assessing, identifying, and managing material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.

This Rule adds yet another layer to the complicated issues of managing cybersecurity risks, but strong corporate governance equips companies to address them efficiently and accurately. The best practices for public companies that must comply with the SEC’s Rule also guide advice for private entities for managing cybersecurity risks. Key components of the SEC’s Rule shine a light on action items for preventing, navigating, and responding to cyberthreats through strong board governance and engagement, including:

  1. Identify cybersecurity risks as a required disclosure to the organization’s Board;
  2. Ensure the Board understands that it is responsible for oversight of the organization’s cyber security program;
  3. Provide the Board with “decision-useful” information relative to cyber risks;
  4. Train leadership on the necessity of reporting actual and potential cybersecurity incidents and risks to the Organization’s Board;
  5. Create a cybersecurity breach response plan enforced by the Board;
  6. Perform stress tests of the cybersecurity breach plan, with Board participation; and
  7. Leadership and the Board should engage with the Organization’s IT/ Data Governance Teams to ensure best practices are being followed, including ensuring employees are trained on cybersecurity risks.

If you have questions or need assistance with Corporate Governance related to cybersecurity risks or with the SEC’s Final Rule regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, please reach out to the Jackson Lewis attorney with whom you regularly work, or any member of our Corporate Governance and Internal Investigations Practice Group and/or our Privacy, Data and Cybersecurity Practice Group.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alison Jacobs Wice Alison Jacobs Wice

Alison Jacobs Wice is principal in the Hartford, Connecticut, office of Jackson Lewis P.C., where she represents management exclusively in workplace law and related advice, counsel, training and litigation. Alison is on the national leadership team for the firm’s Disability, Leave and Health…

Alison Jacobs Wice is principal in the Hartford, Connecticut, office of Jackson Lewis P.C., where she represents management exclusively in workplace law and related advice, counsel, training and litigation. Alison is on the national leadership team for the firm’s Disability, Leave and Health Management practice group.

Since joining Jackson Lewis in September 2003, and throughout her career, Alison has represented employers in state and federal trial, appellate and administrative proceedings throughout the United States involving the full spectrum of substantive issues covered by the firm’s employment law practice. She provides advice and counsel to corporate clients on a variety of employment and employee relations claims, including discrimination, sexual, age, disability and racial harassment, the Americans with Disabilities Act, the Age Discrimination in Employment Act, the Fair Labor Standards Act, the Family and Medical Leave Act, collective bargaining, reductions in force, and leave management issues.

Photo of Trisana N. Spence Trisana N. Spence

Trisana N. Spence is an associate in the Hartford, Connecticut, office of Jackson Lewis P.C. where she represents employers in workplace law matters, including preventive advice and counseling.

Trisana conducts internal investigations of publicly traded, privately held, and not-for-profit organizations, police departments, and…

Trisana N. Spence is an associate in the Hartford, Connecticut, office of Jackson Lewis P.C. where she represents employers in workplace law matters, including preventive advice and counseling.

Trisana conducts internal investigations of publicly traded, privately held, and not-for-profit organizations, police departments, and educational institutions in relation to allegations of fraud, financial impropriety, conflicts of interest, code of conduct violations, Procurement Integrity Act violations, and whistleblower claims under Dodd-Frank, SOX and other federal, state and local laws.