SEC Final Rules "Show Your Work"
Lee Parrish
Vice President & Chief Information Security Officer | Author | Boardroom Qualified Technology Expert (DDN) | CIO | Infrastructure Leader | Human Resources | Combat Veteran USMC
Final rules delivered from the Securities and Exchange Commission’s Open Meeting this morning outlined the requirements for registrants to disclose a variety of cybersecurity related matters. Noticeably absent from the final rules was the previously proposed rule to disclose board members with cybersecurity expertise. Instead, it requires disclosure of management’s role and expertise in assessing and managing material risks from cybersecurity threats.
At first glance, it would appear that the final rules fell short, admittedly it would have been best to require such disclosure of expertise at the board level, however the final version does ultimately shed more light on the criticality of cybersecurity as a business issue. Yet, I feel there is an inherent mandate in the new rules that indirectly speaks to board expertise. Regulation S-K Item 106 requires registrants to describe in Form 10-K their processes, if any, for assessing, identifying, and managing material risks form cybersecurity threats… and require descriptions of the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. To me, this implies that in order to describe the oversight and processes, the board member must know, and importantly, understand those processes enough to disclose them.
In my eighth-grade math class, my teacher would give us homework to practice what we learned that day. We would write down our final answers and submit them for a grade. About halfway through the year, we progressed into more difficult concepts such as algebra and our teacher then uttered the words that every kid hates to hear: “I want you to show your work”. No longer was it enough to have the final answer, wherever it came from, now we were being graded on the final answer, as well as our competency and thought process for deriving that final answer. The SEC final rules, for me, equates to “I want you to show your work”.
Cybersecurity will only continue to evolve as a critical business issue and many companies have already self-regulated to bring cyber expertise to the boardroom ranks. I am certain more mandates are on the horizon to force the issue for the others. Regardless, whether it is the SEC, or unwanted involvement from another three-letter entity: APT, external forces will continue to drive involvement from the highest level of corporate governance. I welcome the final rules and feel we are slowly heading in the right direction. I would be interested in your thoughts as well.
Chief Marketing Officer | Product MVP Expert | Cyber Security Enthusiast | @ GITEX DUBAI in October
4 个月Lee, thanks for sharing!
Scaling E-com brands over 6 figures
1 年Nice article. I agree that this move is a step in the right direction, mostly because it pushes companies to be more open about how they handle cybersecurity. Along with your analogy, It's like making sure students not only have the right answer but also understand how they got there. In this rapid progression of remote threats, this kind of transparency is essential to keeping businesses and their data safe.
Head of Marketing at Kovrr | Cyber Risk Quantification
1 年The analogy brought back bad memories ?? but spot on!