Is Your Board Prepared for New Cybersecurity Regulations?

A proposed SEC rule would require companies to disclose their cybersecurity governance capabilities.

by

Keri Pearlson

and

Chris Hetner

by

Keri Pearlson

and

Chris Hetner

November 11, 2022

photoman/Getty Images

Summary.

A proposed SEC rule will require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the company’s cybersecurity policies, procedures, and strategies. Meeting the new regulatory requirements can be better achieved by aligning how operational leaders discuss cybersecurity with their boards. Operational managers must start presenting their plans in a way that align with the way boards best contribute — the language of risk, resiliency, and reputation.

Boards are now paying attention to the need to participate in cybersecurity oversight. Not only are the consequences sparking concern, but the new regulations are upping the ante and changing the game.

KP

Keri Pearlson is the executive director of the research consortium Cybersecurity at MIT Sloan (CAMS). Her research investigates organizational, strategic, management, and leadership issues in cybersecurity. Her current focus is on the board’s role in cybersecurity.
CH

Chris Hetner served as the senior cybersecurity advisor to SEC chairs White and Clayton and currently is a senior advisor at The Chertoff Group, a special advisor for cyber risk at NACD, and Co-Chair Cybersecurity and Privacy, NASDAQ Center for Board Excellence Insights Council.

Is Your Board Prepared for New Cybersecurity Regulations?

Partner Center

Explore HBR

HBR Store

About HBR

Manage My Account

Follow HBR