SEC final cyber rule

The SEC is required to comply with Federal information security frameworks and adopt risk management and cybersecurity standards under FISMA.  A registrant that aims to adopt the same risk management and cyber standards is more likely to demonstrate compliance to the final rule, if there is a legal challenge to their cyber security compliance.

Regulatory disclosure creates significant legal and compliance risks for Directors, Officers and Accountable Executives of covered registrants

Boards need to understand the disclosure requirement and the role of materiality, adequacy and a reasonable investor.  

 The rule transfers cyber risk into the board rooms of covered registrants, through regulatory compliance and enforcement. 

The transfer of cyber risk into board rooms will necessitate registrants demonstrate they are managing cyber risk. Or face civil and possibly criminal sanctions 

 Oversight and assurance of the SEC final cyber rule requires the adoption of a 3 Line of Defense (3 LoD) framework.

Internal audit is the 3rd line of the 3 LoD framework.  Providing Directors and Officers and Board Subcommittees with the necessary information to attest material cyber risks and material cyber incidents. 

 The SEC announced proposals on the 9th of March 2022 requiring registrants of US Capital Markets to comply with cybersecurity risk management, strategy, governance and incident reporting requirements formally.

 In the enclosed paper we discuss the implications of the SEC proposal, that is likely to  be mandated in 2022.