SEC: Cybersecurity risk management

Cybersecurity is the most significant non-financial risk faced by the public and private sector.  A risk that market forces alone has failed to manage and a risk that governments are starting to regulate, in order to manage it.  

The SEC announced proposals on the 9th of March 2022 requiring registrants of US Capital Markets to comply with cybersecurity risk management, strategy, governance and incident reporting requirements formally.  The implications of which are far reaching and will require public firms and their boards to:

•Report their policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity risks as part of its business strategy, financial planning, and capital allocation. 

•Oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

•Declare whether any member of the registrant’s board has expertise in cybersecurity, and if so, the nature of such expertise.

•Report material cybersecurity incidents within four business days.

•Provide updates in periodic reports about previously reported cybersecurity incidents. 

In the enclosed paper we discuss the implications of the SEC proposal, that is likely to  be mandated in 2022.