Those tuning into the numerous webinars offered by investment advisors and other organizations, and those reading the serious press, have been made aware of the fear of Russian cyber attacks in the context of the Ukrainian invasion. Those following US business have long been aware of the risk and cost of cyber attacks and ransomware on both vital infrastructure and the operation of all manner of business enterprises.
It is thus both unsurprising and timely that on March 9 the SEC proposed robust amendment to its mandatory disclosure scheme for public companies relative to cyber risk. Highlights of the numerous suggested regulatory changes follow; all are subject to a two month period of public comment.
The SEC has proposed: current reporting about material cyber incidents including those previously reported; disclosure of company policy and procedure to uncover and manage cyber risk; specific focus on the board’s oversight, and disclosure of board cyber expertise if any, and the role of management in cyber risk.
The request to disclose board cyber expertise carries with it the implicit suggestion that well-run companies might do well to have a “cyber” member. It would appear, however, that a board which has sharp focus on cyber nonetheless could rely upon management, supported by third party consultants and technical support, to do a good job on this area of technical vulnerability. The fact that something has great risk speaks to focus on it and clear identification for the risk committee, and not the necessity to place a person on the board. Cyber (however vital and important) is not a strategic area, but rather an operational area. We do not have board members who are expert on manufacturing assembly lines or IT configuration, and to the extent the SEC is suggesting there needs to be a cyber board seat we might see kick-back in the public comments.