Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes

Article Brief 1 of 5 from Clearwater Founder and Executive Chairman, Bob Chaput

The Securities and Exchange Commission (SEC) has proposed new changes and increased regulations that would significantly increase reporting and disclosure requirements around cybersecurity and ECRM for publicly traded companies.

What do these changes require and how does this apply to healthcare organizations, many of which are not-for-profit? Clearwater Founder and Executive Chairman, Bob Chaput, is breaking it all down for healthcare executives and their boards of directors in a new blog series on his website, bobchaput.com. Here are a few highlights Bob covers in the first of the five articles in his series.

Why should not-for-profit hospitals, health systems, and other covered entities pay attention to these proposed changes?

While the SEC regulations apply to publicly traded companies, these proposed changes should be considered by all organizations, especially healthcare HIPAA covered entities and their business associates. Many frontline healthcare delivery organizations are not-for-profit, non-public entities.  At the same time, they are part of public companies’ supply chain and part of the national critical infrastructure.  Other organizations in the healthcare ecosystem are private companies with exit strategies that may include going public or being acquired by a strategic public company.  Additionally, many not-for-profit healthcare organization boards include directors who are also executives or directors at publicly traded companies who will guide these not-for-profit organizations to adopt SEC disclosure changes as best practices.

What Could be Required?

There are four specific proposals that I will cover separately in this blog series which align with the key SEC proposals.  The proposed changes address:

Why are these changes being proposed?

Cybersecurity risks and incidents can impact the financial performance or position of a company. Consistent, comparable, and decision-useful disclosures regarding an organization’s cybersecurity risk management, strategy, and governance practices, as well as a company’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a company’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.

The proposed cybersecurity disclosure rule changes are all about what the SEC believes are full, fair, and truthful disclosures.  “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”

How can management and the board start preparing?

While I will get into the detailed requirements in upcoming posts in this series, it is not too early for the C-suite and the board to prepare for these prospective changes. Arguably, there are risks in managing these proposed changes-legal, regulatory, and strategic risks. Here are several starter questions:

  1. What team of executives should be assembled to examine these requirements, monitor the rule change process, and report to the board?
  2. What standing board or ad hoc committee will oversee the work of this executive team? Or will it be the whole board?
  3. What clarifications need to be made regarding the role of management vis-à-vis the role of the board regarding these potential changes?
  4. What is your ability today to meet these prospective requirements? (More detail on this question will follow in future posts.)
  5. What is your risk appetite for managing these pending requirements?
  6. To whom can you turn for advice and counsel on these proposed changes?
  7. What are your current risk management policies, procedures, and practices? On first blush, how do they stand up to the proposed disclosure requirements?
  8. Do you have an appropriate enterprise risk management and cybersecurity expertise on your board?

You can read Bob’s original article in its entirety here.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement Explained

Assumed Breach Simulation: Lateral Movement Explained

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.

Connect
With Us