Virtually all of the world’s commercial data and information has become remotely accessible from almost anywhere, leading to an explosion in corporate productivity and efficiency, and an endless stream of hackers hoping to derive criminal benefit from it. The recent COVID-19 lockdowns and mass migration to remote work have highlighted both the power and the ongoing vulnerabilities of this evolution. To help investors understand evolving risks, the Securities and Exchange Commission (SEC) has shown an ever-increasing focus on cybersecurity disclosures in recent years, and that trend will continue with new rule changes expected in April this year almost certainly continue.
In a keynote address on Jan. 24, SEC Chairman Gary Gensler said, “Unfortunately, cyber incidents happen frequently. History and every study of human nature tells us they will continue to happen… Given this and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and financial sector resilience.” A key focus for Chairman Gensler is the need to develop more consistent disclosures, noting that “companies and Investors would benefit equally if [cyber risk disclosures] were presented in a consistent, comparable and decision-making manner.”