Cyber governance for executive boards: Understanding the new SEC breach notification rules

Boards of Directors for public companies across the country are likely to be taking stock of their companys’ cybersecurity practices and strategies after the Securities and Exchange Commission’s adoption of the Cybersecurity Incident Disclosure Rule on July 26. Although the SEC removed the requirement for corporate boards to include members with cybersecurity expertise, it still intends for the Rule to result in greater transparency of companies’ cybersecurity governance and to aid in investor understanding. The Rule presents additional reasons for companies to determine who, if anyone, on their Boards can help with oversight of cybersecurity governance.

In the past few years, data breaches have become all too familiar to businesses and consumers. The majority of consumers are likely to have already received at least one data breach notification letter this year. For example, Verizon’s 2023 Data Breach Investigation Report assessed 16,312 data security incidents and at least 5,199 confirmed data breaches from 2023 so far. For the majority of organizations, suffering a data breach is a matter of when, not whether. A Deloitte Center for Controllership poll determined that “nearly half (48.8) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase” and that 34.5 percent of those polled were targeted by cyber attackers in the past 12 months.

Given the prominence of data breaches and the development of technologies that help organizations protect their systems, cybersecurity has become increasingly important to boards. According to findings published in Forbes in February, “51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience.” This illustrates a positive trend. A 2022 survey by Heidrick and Struggles found “cybersecurity expertise among new board members [rising] 17%, up from a mere 8% in the previous year,” throughout Fortune 500 companies.

The SEC Rule primarily requires public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 to notify affected stakeholders within four days of determining that a material cybersecurity incident has occurred. As already noted, the Rule does not require public companies to have cybersecurity expertise on their boards, but it does emphasize the board’s oversight role. This can be seen through the Rule’s requirement to disclose a company’s processes for assessing, identifying, and managing material risks from cybersecurity threats. These disclosures will keep external stakeholders apprised, as well as the company’s board members.

With the very real consequences of data security incidents for organizations, their employees, and their clients, cybersecurity will continue to be a key issue for companies’ executive teams and boards. Even though the Rule does not require it, companies should do what they can to ensure that some members of their boards have the necessary expertise.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving developments. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page