In recent years, cyber security risk management has become a significant concern for CFOs. With the implementation of new cyber security rules in the US by the Securities and Exchange Commission (SEC), the stakes have been raised even higher for CFOs and other corporate leaders. This article explores the impact of the SEC’s cyber security rules and the increased personal liability risks faced by CFOs. Additionally, it highlights the Biden administration’s aggressive approach to cyber security enforcement.
Under the new rules, public companies are now required to disclose “material cyber security incidents” to the SEC within four days of their occurrence. This expanded guidance reflects the SEC’s determination to hold corporate executives accountable for their actions, particularly in relation to cyber disclosure. CFOs, as some of the most senior officers in a firm, will face heightened scrutiny under these new regulations.
To understand the potential consequences of the new rules, it is important to examine previous cases where cyber security incidents led to regulatory actions. For example, software firm Blackbaud faced a $3 million settlement with the SEC over misleading disclosures related to a ransomware investigation. Similarly, SolarWinds disclosed that its CFO and CISO might face civil enforcement action from the SEC for possible violations related to a cyber attack. These cases serve as a warning to CFOs about the need for proactive cybersecurity measures and accurate disclosure.
The SEC’s new cyber security rules signal an increase in federal cybersecurity investigations and enforcement actions. This heightened scrutiny could expose companies to additional challenges, such as class action litigation from shareholders. CFOs must now have a better understanding of cyber security risks and their implications for the company. Failing to do so could result in securities or breach of fiduciary duty lawsuits.
Given their financial expertise, CFOs are well-positioned to be closely involved in evaluating cyber incidents. They are best suited to determine, in a defensible manner, whether a potential cyber event poses a material risk to the company. However, this involvement also puts CFOs at increased risk of regulatory scrutiny and personal liability. CFOs must carefully navigate this responsibility and ensure they accurately manage and represent the financials of the enterprise.
In addition to mandating disclosure of material cyber security incidents, the SEC’s new rules require public companies to describe their board of directors’ oversight of cyber security risks. These rules represent a significant expansion compared to prior guidance, necessitating businesses to revamp their cyber security programs. CFOs will play a crucial role in implementing effective cyber security strategies, ensuring appropriate disclosure, and certifying the adequacy and effectiveness of these processes.
The SEC’s new cyber security rules have significantly raised the stakes for CFOs and other corporate leaders. CFOs must proactively address cyber security risks, gain a deeper understanding of their implications, and accurately evaluate the materiality of cyber incidents. Compliance with the new rules requires greater transparency, effective cybersecurity programs, and careful navigation of personal liability risks. By embracing these challenges, CFOs can help their organisations navigate the evolving cyber security landscape successfully.
Reach out to us to discuss how to maximise your cyber security protection.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
