Cybersecurity agencies from the US, Australia, Canada, New Zealand, and the United Kingdom recently released a joint international advisory warning that the Russian government is exploring options for cyberattacks. With these heightened concerns, every company needs to be vigilant to protect themselves against a cyberattack.
Public companies are already facing additional pressure to pay attention to cybersecurity. The SEC is currently accepting public comments on new proposals for public company reporting related to cybersecurity that would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. Another proposed SEC regulation would require registered investment advisers and funds to adopt and implement policies and procedures to address cybersecurity risks.
In public comments submitted in favor of the proposed SEC regulations, the National Association of Corporate Directors (NACD), Cyber Threat Alliance, and SecurityScorecard stated their support for the proposed regulations:
“Cybersecurity issues need to be treated as seriously as all other risk management and disclosure obligations for public and regulated private companies. As cybersecurity risk grows in importance, investors and other stakeholders would benefit from enhanced disclosure related to cybersecurity in order to make informed investment decisions.”
Opponents of the SEC proposals have pushed back against the SEC’s rulemaking in the area of cybersecurity, stating that the agency should provide guidance but not regulate in this area. They point to pending implementation of a new incident reporting law—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—at the Cybersecurity and Infrastructure Security Agency (CISA) as the appropriate venue for cybersecurity regulation. Over the next several years, CISA is expected to adopt new cybersecurity regulations to conform to this new federal law.
In their public comments about the SEC proposals governing cybersecurity practices for advisers and funds, the Securities Industry and Financial Markets Association stated that:
“The Commission should instead provide guidance to advisers and funds and coordinate with other federal financial regulators and the Cybersecurity and Infrastructure Security Agency (CISA) under recently adopted critical infrastructure reporting legislation.”
While this unfolds, organizations that have not yet evaluated their cyber program should take this opportunity to evaluate their capabilities against a framework such as the NIST Cybersecurity Framework for alignment and preparedness.
For more information about public company cybersecurity practices in general, contact us. We are here to help.