Cybersecurity - blog header

New SEC Cyber Rules Present Challenges, Opportunities for Security Leaders

Submitted by cwhitworth on Wed, 08/31/2022 - 09:58

Brian Watson

Security leaders: The Securities and Exchange Commission (SEC) is weighing new rules for cybersecurity risk management and incident reporting for public companies. How much do you and your organizations need to prepare?

If the proposals are formalized (which is possible any day now), public companies will be required to:

  • Disclose (through regulatory filings) details of any material cybersecurity incident within four business days;
  • Detail their cybersecurity risk management strategy and its correlation to business strategy and financial planning; and
  • Outline the board’s oversight of cybersecurity risk management – including the cybersecurity expertise of specific board members

Several legal and business groups, including the National Association of Corporate Directors (NACD), have voiced their support, while others have argued that the proposed rules are overly prescriptive and require board members to operate more like corporate executives.

Regardless, the proposals will certainly require CISOs and CIOs to become better communicators—specifically in translating cybersecurity risks and data into business risks that the board can easily understand. That’s no easy task, but it’s also long overdue. For CISOs to truly become strategic players in the C-suite, they need to speak the language of business.

Cyber issues have become a more pressing priority for boards over the past few years; these new rules would only escalate that more. Yes, that will bring more board scrutiny of security leaders, but it will also forge better relationships between both camps. That’s one of the upshots.

Here’s another: You will likely see more of your peers appointed to boards, as companies look for more expert oversight of their cyber strategy. That means you may have new allies to help educate and inform nontechnical board members about your cybersecurity plans.

This was a big topic of conversation in both my panel discussion and other sessions at a recent CISO conference. I heard both pros and cons about the proposed rules. What do you think about them? What immediate impacts do you foresee them having on your organization and strategy?

Please tell us at!