Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks

Article Brief 4 of 5 From Clearwater Founder and Executive Chairman, Bob Chaput

In a continuation of Bob Chaput’s blog series, Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, Clearwater’s Founder and Executive Chairman explains the 3rd proposed change by the SEC, Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks.

In article 3, Chaput explained the current system of disclosures which requires publicly traded companies to disclose certain types of business and financial data regularly (Regulations S-K). This proposed change would add a requirement at Item 106(b), requiring companies to disclose whether they have a cybersecurity risk assessment program, whether they undertake activities designed to prevent, detect, and minimize the effects of cybersecurity incidents, and how they manage third-party risks.

Chaput outlines the specifics of what’s included under risk management and strategy and governance or precisely the board’s oversight.

The activities under these disclosures represent sound cyber risk management, something healthcare organizations and their boards should have strong strategies around. Chaput recommends healthcare organizations shore up their enterprise cyber risk management strategy with the following activities:

1. Conduct Ongoing Enterprise-wide NIST-quality Risk Assessments
2. Establish Board and Executive Team Governance
3. Adopt the NIST Cybersecurity Framework
4. Implement the NIST “Managing Information Security Risk” Process
5. Engage Your Executive Risk Insurance Brokers
6. Measure the Maturity of Your ECRM Program

While this only represents a partial list of cybersecurity best practices, they are examples of the items that, had they been completed, would be relevant to disclose and would all meet the SEC’s goal of providing greater transparency regarding the registrant’s strategies and actions to manage cybersecurity risks.

As risk oversight is one of the top three responsibilities of a board of directors, along with strategy and leadership, Chaput suggests the following questions for leaders and boards of directors in preparation for complying with this proposed disclosure addition:

1. Is your enterprise cyber risk management (ECRM) strategy formalized and documented? Are you comfortable disclosing your ECRM strategy to investors?
2. Would your organization’s current risk assessment/risk management work products meet national or international standards, such as those promulgated by NIST or ISO?
3. Does your organization have a formal ECRM governance structure in place? Does it clearly define who makes what decisions, how and when those decisions are made, and what data and facts are used to inform them? Are you comfortable disclosing your ECRM governance structure to investors?
4. What ECRM framework, if any, has your organization adopted? How is it being used? Are you comfortable disclosing your ECRM framework to investors?
5. What ECRM process, if any, has your organization adopted? Is it an industry-standard approach, such as that advanced by NIST or ISO? Are you comfortable disclosing your ECRM process to investors?
6. What ECRM maturity model, if any, has your organization adopted? Is it an industry-standard approach, such as that advanced by NIST or ISO?  Are you comfortable disclosing your ECRM maturity model to investors?
7. Are the roles and responsibilities of management and the board spelled out and practiced?
8. Is risk management integrated into business strategy, leadership, and financial oversight?

This is just a snapshot of Bob Chaput’s article, Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks. You can read the full article here.