SEC Showers Down Proposed Cybersecurity Rules: 5 Steps for Staying Dry
While the proposals differ in many respects, the forecast is clear:
- Increased disclosure obligations regarding cybersecurity preparedness and incidents;
- Additional cybersecurity incident reporting obligations with tight time frames;
- More uniformity in cybersecurity notices/disclosures; and
- A call for greater board of directors’ involvement in overseeing cybersecurity policies and procedures.
Here are five steps for staying dry through the downpour:
- Evaluate cybersecurity incident detection, investigation, and response procedures to help meet the tighter incident reporting time frames. Consider:
- Solidifying and updating data maps (i.e., where is the company’s data?);
- Revising and testing incident response plans;
- Developing relationships with key third parties, including law enforcement, forensics, and counsel; and
- Identifying outside counsel and media relations personnel to assist in drafting disclosures and responding to what is often near-immediate investor, regulator, and other third-party scrutiny.
- Consider including at least one individual with cybersecurity experience on the board of directors.
- Have cybersecurity as a standing agenda item at board meetings.
- Revisit retention and succession planning for key cyber leaders and advisers, as competition for cyber talent tightens.
- Prepare for increased regulatory scrutiny and class action litigation regarding cybersecurity preparedness and incident response.
With good preparation, a flash flood won’t ruin your harvest.