On May 10, 2023, the Securities and Exchange Commission (SEC) convened a roundtable meeting on cybersecurity risk management and disclosure. The event brought together diverse voices from the industry, academia, and government, creating a potent mix of insights. Their collective wisdom will aid the SEC in making informed decisions about the proposed cybersecurity rule. The broad spectrum of discussion points included the necessity for a comprehensive cybersecurity risk management framework for public companies, the significance of board oversight of cybersecurity, the challenges in disclosing cybersecurity incidents, and the regulators’ role in advancing cybersecurity.
Key Takeaways from the Roundtable
The SEC’s summary of this roundtable discussion underscored several pivotal points:
- The consensus is clear: cybersecurity is a critical issue for public companies and the securities markets. The wave of digitalization and our growing reliance on technology underline the need for robust cybersecurity measures.
- Tailoring a comprehensive cybersecurity risk management framework to meet the specific needs of public companies is a must. One-size-fits-all solutions rarely work when it comes to cybersecurity, given the unique risks and threats each organization faces.
- Board oversight of cybersecurity is fundamental to ensure companies are taking appropriate steps to safeguard their systems and data. Their strategic role is key in driving a cybersecurity-conscious culture within the organization.
- Disclosing cybersecurity incidents presents a set of challenges that need to be addressed. It’s about striking the right balance between transparency and security – sharing enough to keep investors informed about material cybersecurity risks without revealing sensitive information that could be exploited.
- Regulators can and should play a role in advancing cybersecurity. They can offer guidance and resources to public companies, helping them navigate the complex cybersecurity landscape.
Recommendations from the Roundtable Participants
The roundtable participants suggested some specific actions for the SEC to consider:
- The SEC should mandate that public companies have a board-approved cybersecurity risk management framework. This requirement would ensure that cybersecurity management isn’t an afterthought but a key part of a company’s strategic planning.
- The SEC should provide clear guidance on how to disclose cybersecurity incidents in a timely and transparent manner. Such guidance would be invaluable in helping companies navigate the tricky waters of breach disclosure.
- The SEC should collaborate with other regulators to develop a coordinated approach to cybersecurity regulation. A unified front in the face of cyber threats could provide the necessary deterrence and protection.
These insights and recommendations from the roundtable will be instrumental in the SEC’s ongoing review of the comments submitted during the rule’s comment period. The SEC is expected to issue a final rule in the coming months. Given the criticality of cybersecurity in today’s world, these proposed changes could have a far-reaching impact on public companies and the securities markets. Stay tuned for updates as we continue to track the SEC’s proposed cybersecurity changes.