Issue link: https://digital.shearman.com/i/1019978
Shearman & Sterling LLP Cybersecurity – Board Oversight | 17 Cybersecurity is also an increasingly important issue for governments at all levels. In 2017, the President issued a wide-ranging executive order on cybersecurity, focused on preparedness of federal agencies and critical infrastructure. Congress, through several committees in both the House of Representatives and the Senate, has also been focused on cybersecurity. Over the last year, there have been a number of public hearings where multiple House and Senate committees have called on executive officers of public companies to account for major cybersecurity breaches and compromised consumer personal data. Additionally, members of Congress have proposed a number of pieces of legislation designed to address the cybersecurity preparedness and responsiveness of public companies and impose requirements designed to address the public safety and privacy issues. One such measure would require public companies to appoint a cybersecurity expert to the board or explain to shareholders why one was not necessary. State governments are also focused on cybersecurity matters, with New York imposing new cybersecurity requirements for financial services and insurance companies, adding to the patchwork of industry standards, best practice frameworks and mandatory requirements. This focus has not been limited to cybersecurity incident preparedness and responsiveness. The increasing collection and use of personal data has led to a growing call for legislative controls and protections focused on personal privacy. Congress has introduced legislation addressing a range of issues from mandating notification to consumers of data breaches, to requiring comprehensive privacy and data protection programs and new liability regimes. Each state has put in place some form of data breach notification legislation. Outside of the United States, the most prominent example is the General Data Protection Regulation (GDPR), which came into effect in the European Union in 2018. The GDPR imposes stringent and complex requirements on any business operating in the European Union related to processing of personally identifiable information. These new requirements have imposed and will continue to impose costs, both in terms of implementation and changes to business models, as well as steep fines for inadequate compliance. Just as many of the largest public companies were preparing their annual reports and right before the 2018 proxy season was in high gear, the SEC, in February 2018, released new interpretive guidance on public company disclosures related to cybersecurity risks and incidents. This guidance also outlined the SEC's views regarding the importance of appropriate disclosure controls and procedures, insider trading policies and selective disclosure safeguards in the context of cybersecurity incidents. THE SEC WANTS PUBLIC COMPANIES TO: Maintain disclosure controls and procedures so that individuals responsible for disclosure are promptly alerted of cybersecurity incidents Describe the role that the board has in cybersecurity- related risk management Institute policies that restrict the ability of officers, directors and other insiders from trading before determining the materiality and making any necessary disclosure of a cybersecurity incident