(844) 627-8267
(844) 627-8267

Cybersecurity Risks and Privacy Rules Add Pressure on Boards | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Companies shouldn’t wait for new rules around cybersecurity, privacy and emerging technologies to be finalized before preparing for them, lawyers say, particularly as senior executives with the right experience can be hard to come by.

Proposed cybersecurity rules from the Securities and Exchange Commission would require public companies to disclose which board members have security knowledge or experience, along with details about the board’s approach to cyber oversight. The SEC published draft rules in March 2022 and is expected to finalize them in the coming months. 

“The board issue is coming fast and furious onto the table around the world,” Dominique Shelton Leipzig, a partner in the cybersecurity and data privacy practice at law firm Mayer Brown, said.

The SEC wants to see more transparency and board expertise to better protect investors from expensive and disruptive cyberattacks, said Kristy Littman, a partner at law firm Willkie Farr & Gallagher who until July 2022 was chief of the crypto assets and cyber unit in the SEC’s division of enforcement. Littman was speaking at the WSJ Pro Cybersecurity Forum on Wednesday.

Companies should start looking now for directors with cyber expertise or hire experts to advise them because there will be competition for a small pool of such people, she said, speaking at the forum. 

Advertisement – Scroll to Continue

“Directors don’t grow on trees and, certainly, directors with cybersecurity experience don’t grow on trees,” she said. 

A barrage of legal proposals and recent regulatory penalties are also forcing corporate executives and directors to pay closer attention to their companies’ privacy and cybersecurity measures. In the European Union, upcoming rules on artificial intelligence and last month’s record-high privacy fine of $1.3 billion against
parent company Meta Platforms are piling onto executives’ list of concerns. The ruling said Meta exposed European users’ data to surveillance by the U.S. government. Meta has said it would appeal the ruling. 

Regulators are striving to catch up with the fast pace of technology development, especially in AI, which encompasses both privacy and security risk. The C-suite as well as the board should get involved in discussions about AI before business units and the tech team build expensive applications using the technology because upcoming rules could require them to make substantial changes to how those systems handle data, Shelton Leipzig said.

Advertisement – Scroll to Continue

In a survey of 472 corporate board directors, 30% rated their board’s ability to oversee a cyber crisis as “expert” or “advanced,” according to a WSJ Pro Research survey published in March. 

A number of other coming regulations also call for boards to step up their cyber and data protection competence. The New York State Department of Financial Services proposed changes last year to its cybersecurity rules for financial companies, requiring boards to include experts or hire external advisers in 15 different domains including network security, consumer data privacy and third-party service management. The agency is reviewing public comments on the amendments. 

It would be unrealistic for any one director to have such a range of expertise, said Shelton Leipzig. Many companies will opt to hire consultants to help directors ask the right questions of chief information security officers and other executives responsible for data risks, she said.

Advertisement – Scroll to Continue

James Rundle contributed to this article.

Write to Catherine Stupp at [email protected]


Click Here For The Original Source.

National Cyber Security