In 2004 CalOPPA became law and effectively required all websites to have a posted privacy policy. It contained no privacy requirements, but nevertheless significantly improved privacy of consumers. Whatever a company stated their privacy policy was had to then be followed, with the FTC and several states taking action against companies who use their consumers’ data in ways not authorized by their privacy policy. While companies were free to set any policies – for example stating that they won’t protect your data, that they’ll share it with anyone for any reason, and store it forever – they likely believed that might discourage people from giving them their data in the first place and so set more protective policies.
In this way the requirement to disclose about privacy practices led to those becoming significantly better. The SEC (Securities and Exchange Commission) now requires publicly traded companies to discuss their cybersecurity risk management and governance in their annual 10K filing. There are no requirements for companies to implement any cybersecurity programs or governance, however it requires companies to state what they are, if they exist. I recently listened to the Cyber Risk Management podcast episode about the new SEC disclosure rules including this one, and the hosts discussed whether this rule would have a significant impact on the cybersecurity of organizations.
The new requirements have two parts. First companies must disclose their cyber risk management strategy. First, they must share how they determine and address cybersecurity risks, whether they use third parties. They also must describe the cybersecurity threats, including any threats that have had a material impact on the company, or potential threats that are reasonably likely to affect them.
Companies must also describe their governance of cybersecurity, identifying any board of directors committee that oversees cybersecurity risk. They must also describe what management positions address those risks, as well as the relevant expertise of those people involved. Finally, they must describe the processes by which cybersecurity activities (incident prevention, monitoring, response, etc.) are reported upwards to those people and the board.
Using the parallel to CalOPPA’s disclosure requirements, I think these rules will have a significant effect of increasing the cybersecurity posture of companies. This is especially true when coupled with the SEC’s prosecution of Solar Winds and its CISO over allegedly untrue statements they made in their disclosures.
The SEC IAC (Investor Advisory Committee) made a public comment that “issuers that have not developed any cybersecurity policies or procedures [should] be required to make a statement to that effect” because “the vast majority of investors . . . would view the complete absence of cybersecurity risk governance as overwhelmingly material to investment decision-making.” Unwilling to make this statement, and with the growing threat of SEC action should they misconstrue their cybersecurity, companies with poor cybersecurity governance and management will quickly develop those policies and procedures as well as the governance to go with them.
Information about CalOPPA from :
https://en.wikipedia.org/wiki/California_Online_Privacy_Protection_Act
A Short and Happy Guide to Privacy and Cybersecurity Law by John Garon
Inspiration and general overview of the new SEC rules:
The Cyber Risk Management Podcast, EP 148: SEC Disclosure Rules on Cybersecurity https://cr-map.com/podcast/
More details about the SEC rules:
17 CFR 229.106 https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.100/section-229.106#p-229.106(c)
SEC issued Final Rule 2023-16194 https://www.sec.gov/rules/2022/03/cybersecurity-risk-management-strategy-governance-and-incident-disclosure
Information about SEC action against Solarwinds:
The Cyber Risk Management Podcast, EP 147: SEC Complaint against SolarWinds Corporation https://cr-map.com/podcast/
Add new comment