It’s rainy season for proposed SEC cybersecurity rules. The first watershed was proposed regulations targeting investment companies’ and advisers’ cybersecurity preparedness. See “SEC Plants New Cybersecurity Regulations; Time Will Tell What Will Bloom.” The next torrent arrived on March 9 and threatens to soak public companies. See “Four Takeaways From the SEC’s Proposed Cyber Rule for Public Companies.”
While the proposals differ in many respects, the forecast is clear:
- Increased disclosure obligations regarding cybersecurity preparedness and incidents;
- Additional cybersecurity incident reporting obligations with tight time frames;
- More uniformity in cybersecurity notices/disclosures; and
- A call for greater board of directors’ involvement in overseeing cybersecurity policies and procedures.
Here are five steps for staying dry through the downpour:
- Evaluate cybersecurity incident detection, investigation, and response procedures to help meet the tighter incident reporting time frames. Consider:
- Solidifying and updating data maps (i.e., where is the company’s data?);
- Revising and testing incident response plans;
- Developing relationships with key third parties, including law enforcement, forensics, and counsel; and
- Identifying outside counsel and media relations personnel to assist in drafting disclosures and responding to what is often near-immediate investor, regulator, and other third-party scrutiny.
- Consider including at least one individual with cybersecurity experience on the board of directors.
- Have cybersecurity as a standing agenda item at board meetings.
- Revisit retention and succession planning for key cyber leaders and advisers, as competition for cyber talent tightens.
- Prepare for increased regulatory scrutiny and class action litigation regarding cybersecurity preparedness and incident response.
With good preparation, a flash flood won’t ruin your harvest.