In an era when digital transformation has fundamentally altered the business landscape, the need for robust cybersecurity measures and close coordination with government partners has never been more critical for industry. To that end, new cybersecurity rules by the U.S. Securities and Exchange Commission call for company oards to take a significantly more active role in managing cybersecurity risks.
Similar provisions are included in the European Union’s Digital Operational Resiliency Act, or DORA, and the U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0. Despite the global momentum behind this new level of cyber governance, many companies still don’t yet know how to prepare their Boards and C-suites for these new rules and expectations.
Headlines around the SEC’s rules have focused on new reporting timelines around “material” cybersecurity breaches. But far less attention has been paid to the requirement that will impact companies even in the absence of a major cyber incident. Starting in December, public companies’ annual reports must disclose their cybersecurity risk strategy and governance, including their board of directors’…
