What’s the news?
Last month, the Securities and Exchange Commission proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (The SEC has opened a comment period until May 9th, 2022 before it moves towards a final decision). The potential change is a great opportunity for CISOs to tie their security program to their business, and communicate their impact on shareholder value.
There are two main reasons why the SEC is proposing changes. The first is that cybersecurity risk has become a consistent and meaningful risk to the financial performance of companies.
The second is that there is no standard way of reporting risk to investors; leading to uneven, infrequent and inconsistent disclosures. These issues remain despite the addition of the Sarbanes-Oxley Act of 2002, the Payment Card Industry Data Security Standard and other regulatory changes.
With regards to risk management reporting, the proposal would (among other things) require companies to report on:
- Their policies and procedures to identify and manage cybersecurity risks
- Management’s role in…
