Article Brief 1 of 5 from Clearwater Founder and Executive Chairman, Bob Chaput
The Securities and Exchange Commission (SEC) has proposed new changes and increased regulations that would significantly increase reporting and disclosure requirements around cybersecurity and ECRM for publicly traded companies.
What do these changes require and how does this apply to healthcare organizations, many of which are not-for-profit? Clearwater Founder and Executive Chairman, Bob Chaput, is breaking it all down for healthcare executives and their boards of directors in a new blog series on his website, bobchaput.com. Here are a few highlights Bob covers in the first of the five articles in his series.
Why should not-for-profit hospitals, health systems, and other covered entities pay attention to these proposed changes?
While the SEC regulations apply to publicly traded companies, these proposed changes should be considered by all organizations, especially healthcare HIPAA covered entities and their business associates. Many frontline healthcare delivery organizations are not-for-profit, non-public entities. At the same time, they are part of public companies’ supply chain and part of the national critical infrastructure. Other organizations in the healthcare ecosystem are private companies with exit strategies that may include going public or being acquired by a strategic public company. Additionally, many not-for-profit healthcare organization boards include directors who are also executives or directors at publicly traded companies who will guide these not-for-profit organizations to adopt SEC disclosure changes as best practices.
What Could be Required?
There are four specific proposals that I will cover separately in this blog series which align with the key SEC proposals. The proposed changes address:
- Reporting of Cybersecurity Incidents on Form 8-K
- Disclosure about Cybersecurity Incidents in Periodic Reports
- Disclosure of a Registrant’s Risk Management, Strategy and Governance RegardingCybersecurity Risks
- Disclosure Regarding the Board of Directors Cybersecurity Expertise
Why are these changes being proposed?
Cybersecurity risks and incidents can impact the financial performance or position of a company. Consistent, comparable, and decision-useful disclosures regarding an organization’s cybersecurity risk management, strategy, and governance practices, as well as a company’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a company’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.
The proposed cybersecurity disclosure rule changes are all about what the SEC believes are full, fair, and truthful disclosures. “The proposed amendments are intended to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.”
How can management and the board start preparing?
While I will get into the detailed requirements in upcoming posts in this series, it is not too early for the C-suite and the board to prepare for these prospective changes. Arguably, there are risks in managing these proposed changes-legal, regulatory, and strategic risks. Here are several starter questions:
- What team of executives should be assembled to examine these requirements, monitor the rule change process, and report to the board?
- What standing board or ad hoc committee will oversee the work of this executive team? Or will it be the whole board?
- What clarifications need to be made regarding the role of management vis-à-vis the role of the board regarding these potential changes?
- What is your ability today to meet these prospective requirements? (More detail on this question will follow in future posts.)
- What is your risk appetite for managing these pending requirements?
- To whom can you turn for advice and counsel on these proposed changes?
- What are your current risk management policies, procedures, and practices? On first blush, how do they stand up to the proposed disclosure requirements?
- Do you have an appropriate enterprise risk management and cybersecurity expertise on your board?