SEC Showers Down Proposed Cybersecurity Rules: 5 Steps for Staying Dry
While the proposals differ in many respects, the forecast is clear:
- Increased disclosure obligations regarding cybersecurity preparedness and incidents;
- Additional cybersecurity incident reporting obligations with tight time frames;
- More uniformity in cybersecurity notices/disclosures; and
- A call for greater board of directors’ involvement in overseeing cybersecurity policies and procedures.
Here are five steps for staying dry through the downpour:
- Evaluate cybersecurity incident detection, investigation, and response procedures to help meet the tighter incident reporting time frames. Consider:
- Solidifying and updating data maps (i.e., where is the company’s data?);
- Revising and testing incident response plans;
- Developing relationships with key third parties, including law enforcement, forensics, and counsel; and
- Identifying outside counsel and media relations personnel to assist in drafting disclosures and responding to what is often near-immediate investor, regulator, and other third-party scrutiny.
- Consider including at least one individual with cybersecurity experience on the board of directors.
- Have cybersecurity as a standing agenda item at board meetings.
- Revisit retention and succession planning for key cyber leaders and advisers, as competition for cyber talent tightens.
- Prepare for increased regulatory scrutiny and class action litigation regarding cybersecurity preparedness and incident response.
With good preparation, a flash flood won’t ruin your harvest.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.