The US Securities and Exchange Commission (SEC) will soon compel corporate boards to take cybersecurity seriously, with new rules expected to be finalized by April 2023. These new rules would apply to publicly traded companies and require them to share details with the SEC and investors about cyber incidents that could significantly impact the business within four business days.
Why it matters: Public companies will have to openly report potentially serious cyberattacks, leading to increased transparency across the board. While shareholders have been in the dark as to whether a company is ready to manage a cyberattack, they will soon have information at their fingertips. When cyber incidents occur, the SEC will be able to step in if necessary and investors will see whether the company is too much of a liability based on the actions they take to mitigate issues.
- The SEC’s rules will also require the boards of those companies to release information on their security governance, including how and when it practices oversight of cyber risks.
- Senior IT roles such as the Chief Information Security Officer may increase in importance in the boardroom.