Cybersecurity Transparency and the New SEC Regulation
49% of CEOs globally are concerned or extremely concerned about cyber threats, making cyber the top threat to revenue growth. However, only 33% of members of the board of directors felt they understood cyber vulnerabilities in their organizations. The fast-growing amount of cyber incidents is one of the most critical economic and national security threats today.
By definition, public companies are held to a higher level of transparency than their private counterparts. Due to their accountability to the shareholders, public companies must file a quarterly financial report with the Security and Exchange Commission (SEC). Public companies are also large and critical to the national economy of the countries they operate in. Public companies generally perform at a higher level than other companies.
The board of directors of a public company must look out for the shareholder’s best interests, especially by mitigating any risk to the organization. Traditionally, this has meant financial risk, but in their new disclosure rules, the SEC has officially recognized the unique risks posed by inadequate cybersecurity policies.
On March 15, 2022, the Cybersecurity Incident Reporting for Critical Infrastructures Act of 2022 was signed into law. It necessitates that organizations must announce notable cyber incidents, and the act provides protections that encourage businesses to report cyber incidents. The new act mandates transparency of cybersecurity practices, whereas sharing the details of these practices was previously discretionary. The new act also standardizes information sharing.
