By: Ben Butterfield
The threat of cybersecurity breaches has evolved from a matter of “if” to “when”.
With shareholder activists and regulators calling for greater transparency in cybersecurity risk management, still less than half of U.S. public companies cite cybersecurity as a risk factor in their annual and quarterly SEC filings. But, that will likely change after the SEC issued an interpretive release on February 21, 2018 which provides guidance for public companies relating to disclosures of cybersecurity risks and incidents.
The SEC emphasized that a company should avoid boilerplate language and tailor its disclosures to its own business and industry, including a discussion of the potential financial, legal or reputational impact of cybersecurity risks or incidents. However, the SEC also noted that the disclosures should not be so detailed as to compromise a company’s cybersecurity efforts or tip off the potential hackers. The guidance notes the requirements to disclose in proxy statements the board’s role in risk oversight.
A documented record of active, engaged and informed oversight by the board will help improve a company’s cyber risk management program. And, a General Counsel plays an important role in cyber risk mitigation, working with the board to ensure that the relevant stakeholders are involved in budgeting, prioritizing cyber risks, and ensuring that ways to mitigate or transfer cyber risks (i.e., through contracts or insurance) or thoughtfully and thoroughly considered. This will also help the board meet its fiduciary duties of risk management and oversight.
