Key Points
- New SEC rules from 2023 require public companies to report material cybersecurity incidents promptly and detail their cybersecurity risk management strategies in annual reports — requirements that increase the risk of litigation over misstatements relating to cybersecurity.
- The fallout from the SEC’s enforcement action against SolarWinds and shareholder litigation over the company’s alleged failure to manage cybersecurity risks highlight the need for thoughtful board governance in this area.
- Boards should review how oversight responsibility for cybersecurity risk is assigned and coordinated within the board and with management to facilitate clear lines of communication in the event of a cybersecurity incident.
What role are boards expected to play in protecting their companies against cyberattacks?
New rules issued by the Securities and Exchange Commission (SEC) and an enforcement action by the agency against SolarWinds, a software developer that was the victim of a serious cyberattack, provide detailed guidelines. They make clear that directors need to understand the risks and actively engage in cybersecurity oversight. The SEC’s actions are also…
