A New Era of Accountability
The Securities and Exchange Commission (SEC) is signaling a significant shift in how public companies must manage and report cybersecurity. In addition to its proposed rule changes, the SEC has taken the unprecedented step of issuing a Wells Notice to SolarWinds executives for their handling of the 2021 breach — raising the stakes for personal liability among executive leadership.
Wells Notices are formal notifications issued when the SEC is planning to bring enforcement action, and they typically precede major regulatory penalties. The message is clear: cybersecurity isn’t just an IT issue — it’s a boardroom and C-suite responsibility.
What the New Rules Propose
Originally drafted in 2022 and expected to be finalized by October 2023, the SEC’s cybersecurity rule proposal affects all Market Entities. The new obligations are both operational and disclosure-based:
Operational Requirements
- Implement policies and procedures reasonably designed to address cybersecurity risks
- Conduct an annual review and assessment of cybersecurity policies, including whether they reflect evolving risk conditions
Disclosure Requirements
The proposed rules also include new transparency mandates aimed at informing markets and stakeholders:
- A four-business-day deadline for disclosing material cybersecurity incidents (starting from the date of materiality determination, not discovery)
- Public disclosures via Form 8-K for material incidents, including:
- When the incident was discovered and whether it’s ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, or misused
- Operational impact
- Current remediation status
Governance Disclosures
The SEC also proposes mandatory disclosures regarding cybersecurity governance:
- The board’s oversight role in managing cybersecurity risk
- Whether any individual board members have specific cybersecurity expertise
- Management’s role in identifying, mitigating, and remediating cyber risks
What Boards Should Be Thinking About
I recently attended a panel discussion hosted by a respected executive search firm and a leading technology company. The focus was on the board’s new responsibilities under these rules. Key questions raised:
- Will the “cybersecurity expert” on the board need to be a former Chief Security Officer (CSO)?
- If so, could that expert face greater personal liability in the event of a breach?
- How does the entire board maintain shared accountability, without shifting all responsibility to the designated expert?
These are critical governance questions. Boards must prepare not only to meet regulatory expectations but also to manage internal dynamics and legal exposures as cybersecurity grows in strategic importance.
Final Thoughts
As the old Chinese proverb says, “May you live in interesting times.”
If you’re in cybersecurity or risk governance, these are very interesting times indeed.
Thanks for reading.
— Nick