Communicating Cyber Risk to Investors: A Draft Form 10K Submission In line with the Proposed SEC Rules

0
188

Recent cyber attacks have resulted in serious impact to the profitability, reputation, and stock prices of companies. There is a heightened spotlight on decisions and actions of senior corporate leaders as it pertains to cyber risk management.

In response, the United States Security Exchange Commission (SEC) has proposed ways to enhance and standardize how public companies disclose their approach to governance of cybersecurity risk management and attest to the level of cybersecurity expertise of their board. The proposed rules mean that public companies will need to formalize how they report on cybersecurity risk to their board of directors, regulators and investors.

In terms of communicating cyber risk to investors, companies will likely do this as part of their Form 10K submission. I thought it might be interesting to imagine how a 10K submission might look for two key categories required by the SEC, Cybersecurity Risk and Governance, as below:

Cybersecurity Risk

Preamble:

To meet business objectives, the Company relies on both internal information technology (IT) systems and networks, and those of third parties and their vendors, to process and store sensitive data,…

Read More…