Skip to Content

SEC Showers Down Proposed Cybersecurity Rules: 5 Steps for Staying Dry

It’s rainy season for proposed SEC cybersecurity rules. The first watershed was proposed regulations targeting investment companies’ and advisers’ cybersecurity preparedness. See “SEC Plants New Cybersecurity Regulations; Time Will Tell What Will Bloom.” The next torrent arrived on March 9 and threatens to soak public companies. See “Four Takeaways From the SEC’s Proposed Cyber Rule for Public Companies.”

While the proposals differ in many respects, the forecast is clear:

  • Increased disclosure obligations regarding cybersecurity preparedness and incidents;
  • Additional cybersecurity incident reporting obligations with tight time frames;
  • More uniformity in cybersecurity notices/disclosures; and
  • A call for greater board of directors’ involvement in overseeing cybersecurity policies and procedures.

Here are five steps for staying dry through the downpour:

  1. Evaluate cybersecurity incident detection, investigation, and response procedures to help meet the tighter incident reporting time frames. Consider:
    • Solidifying and updating data maps (i.e., where is the company’s data?);
    • Revising and testing incident response plans;
    • Developing relationships with key third parties, including law enforcement, forensics, and counsel; and
    • Identifying outside counsel and media relations personnel to assist in drafting disclosures and responding to what is often near-immediate investor, regulator, and other third-party scrutiny.
  2. Consider including at least one individual with cybersecurity experience on the board of directors.
  3. Have cybersecurity as a standing agenda item at board meetings.
  4. Revisit retention and succession planning for key cyber leaders and advisers, as competition for cyber talent tightens.
  5. Prepare for increased regulatory scrutiny and class action litigation regarding cybersecurity preparedness and incident response.

With good preparation, a flash flood won’t ruin your harvest.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.