A new ruling from the U.S. Securities and Exchange Commission (SEC), known as the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, went into effect last fall. The ruling requires public companies to disclose whether their boards of directors have members with cybersecurity expertise. Specifically, registrants are required to disclose whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks; the processes by which the board is informed about cyber risks, and the frequency of its discussions on this topic; and whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.
“In simplest terms, boards are on the hook for management, governance, and disclosure reporting,” explains Keri Pearlson, executive director of the Cybersecurity at MIT Sloan Research Consortium (CAMS). “While there is a lot of interpretation left to do, this we know for sure.”
Also well understood is the increasing likelihood of hacking events and the exponential cost to companies. Despite recent efforts to beef up cybersecurity by…
