Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes

Article Brief 1 of 5 from Clearwater Founder and Executive Chairman, Bob Chaput

The Securities and Exchange Commission (SEC) has proposed new changes and increased regulations that would significantly increase reporting and disclosure requirements around cybersecurity and ECRM for publicly traded companies.

What do these changes require and how does this apply to healthcare organizations, many of which are not-for-profit? Clearwater Founder and Executive Chairman, Bob Chaput, is breaking it all down for healthcare executives and their boards of directors in a new blog series on his website, bobchaput.com. Here are a few highlights Bob covers in the first of the five articles in his series.

Why should not-for-profit hospitals, health systems, and other covered entities pay attention to these proposed changes?

While the SEC regulations apply to publicly traded companies, these proposed changes should be considered by all organizations, especially healthcare HIPAA covered entities and their business associates. Many frontline healthcare delivery organizations are not-for-profit, non-public entities.  At the same time, they are part of public companies’ supply chain and part of the national critical infrastructure.  Other organizations in the healthcare ecosystem are private companies with exit strategies that may include going public or being acquired by a strategic public company.  Additionally, many not-for-profit healthcare organization boards include directors who are also executives or directors at publicly traded companies who will guide these not-for-profit organizations to adopt SEC disclosure changes as best practices.

What Could be Required?

There are four specific proposals that I will cover separately in this blog series which align with the key SEC proposals.  The proposed changes address:

Why are these changes being proposed?

Cybersecurity risks and incidents can impact the financial performance or position of a company. Consistent, comparable, and decision-useful disclosures regarding an organization’s cybersecurity risk management, strategy, and governance practices, as well as a company’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a company’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.

The proposed cybersecurity disclosure rule changes are all about what the SEC believes are full, fair, and truthful disclosures.  “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”

How can management and the board start preparing?

While I will get into the detailed requirements in upcoming posts in this series, it is not too early for the C-suite and the board to prepare for these prospective changes. Arguably, there are risks in managing these proposed changes-legal, regulatory, and strategic risks. Here are several starter questions:

  1. What team of executives should be assembled to examine these requirements, monitor the rule change process, and report to the board?
  2. What standing board or ad hoc committee will oversee the work of this executive team? Or will it be the whole board?
  3. What clarifications need to be made regarding the role of management vis-à-vis the role of the board regarding these potential changes?
  4. What is your ability today to meet these prospective requirements? (More detail on this question will follow in future posts.)
  5. What is your risk appetite for managing these pending requirements?
  6. To whom can you turn for advice and counsel on these proposed changes?
  7. What are your current risk management policies, procedures, and practices? On first blush, how do they stand up to the proposed disclosure requirements?
  8. Do you have an appropriate enterprise risk management and cybersecurity expertise on your board?

You can read Bob’s original article in its entirety here.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.
The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.

Connect
With Us