By May this year, the US Security and Exchange Commission (SEC) is expected to implement changes to cybersecurity and governance rules for public companies, which some predict will amount to a “tectonic” change in how boards must handle key issues such as incident reporting.
Officially, the rule changes are designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies.” In practical terms, public companies will be required to disclose any material cybersecurity breach or incident to the SEC within four business days, while failure to do so may result in enforcement action. In addition, they must also be in a position to report on which member of the board is responsible for cybersecurity and how they exercise risk oversight.
While this meets a clear need to further raise the profile of cybersecurity at the board level, there are concerns that most organizations are simply not in a position to meet these reporting and governance requirements.
According to research published in Forbes, for example, the vast majority (up to 90%) of public companies “lack even a single director with the necessary cyber expertise.” The analysis goes on to point out that “only 51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is more concerning: only 9% have cyber-savvy directors.”
Commenting on the potential impact of these rule changes, Glasswall CEO, Danny Lopez, said: “These new SEC rules are a welcome development that will help ensure that leadership teams and boards will become more effective in their approach to preventing and mitigating cyber risks. Cybersecurity is increasingly recognized as a business-critical priority, but many leaders have learnt the hard way, having been the victims of an attack. As a result of developments such as this, leaders everywhere – particularly in larger companies – will become more effective in meeting the needs of their CISOs and security teams.”
As discussed in Glasswall’s 2023 industry predictions, the cybersecurity sector should expect to see more legislation from governments this year designed to improve standards across the board. The US government, for instance, is also leading the charge across other key areas such as software procurement – a trend which is likely to be mirrored globally across both public and private sectors, helping increase industry maturity while offering a boost for consumer confidence.
To learn more about how Glasswall’s CDR solutions help organizations build a zero-trust approach to file-based risks, click here.