Sid Mody, Andrew J. Geist, Shelly Heyduk, Bill Martin, and Anna Xie discuss the implications of recent actions by the SEC. They write, in part:
In sending a Wells Notice to SolarWinds’s CISO, the SEC has put CISOs generally on high alert that the agency is focused on how such professionals may be involved in company missteps concerning cybersecurity issues. Managing cybersecurity at a large company often involves multiple layers of personnel involved in different aspects of complex processes, and the SEC may face challenges in investigating, and possibly charging, future CISOs. CISOs and their companies—working with counsel—should take care to design processes to detect cyber incidents and have appropriate governance around evaluating and escalating them, so that the people who are responsible for making disclosure decisions can receive timely and accurate information.
As illustrated by the First American Financial case, it is imperative that an incident response plan includes up-the-ladder reporting so that senior company personnel can effectively evaluate incidents and make appropriate disclosures. Employees should promptly report cyber incidents to the company’s disclosure committee to facilitate timely and effective disclosure assessments. Moreover, companies and their CISOs should ensure that there is sufficient Board oversight of mission-critical risks—particularly considering the SEC’s proposed rules to mandate enhanced disclosures about the Board’s role in overseeing a company’s cybersecurity risk.
Read more at CPO Magazine.