
THIS IS AN OPINION
We'd also like to hear yours.
Tweet us @ArkBusiness or email us
An uncontroversial issue lurks quietly beneath the more turbulent environmental, social and corporate governance (ESG) waters: cybersecurity.
Regulators are releasing guidance on security measures and best practices, prescriptions that have broadened beyond institutional resiliency to include monitoring and management of vendors and suppliers. This trend stems in part from broadly applied international and state consumer privacy laws requiring disclosure of related parties that handle data and permitting individuals to bring lawsuits for unreasonable security.
Here are some recent examples:
The Federal Trade Commission amends the Gramm-Leach-Bliley Act Safeguards Rule. As of June 9, the FTC requires financial institutions to maintain and update company cybersecurity policies to include:
A “qualified individual” to oversee the institution’s information security system and regularly report to the board of directors;
Risk assessments of security programs;
Additional administrative, technical and physical safeguards;
Regular testing of security controls and safeguards;
Adequate internal training on security processes;
Oversight and assessment of third-party service providers for security program compliance; and
Written incident-response plans.
Securities & Exchange Commission rules for public companies and investment entities. On July 26, the SEC adopted rules on public company cybersecurity processes, including disclosure of (1) material incidents within four business days; (2) a description of processes for assessing, identifying and managing risks from cybersecurity threats; and (3) the board of directors’ oversight of and the role and expertise of management in assessing and managing those risks. The SEC has also proposed rules for investment advisers and companies requiring periodic risk assessments, minimization of user-related risks, protection of information from third-party service providers, cybersecurity threat and vulnerability management, and measures to respond and recover from cybersecurity incidents.
Financial institution guidance on third parties. In early June, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp. and the Federal Reserve Board finalized guidance on the third-party relationship life cycle, including planning, due diligence and third-party selection, contract negotiation, ongoing monitoring and termination. The Federal Financial Institutions Examination Council publishes an examination handbook with prescriptions for handling information security risks. And the Consumer Financial Protection Bureau recommends overseeing third-party relationships to ensure compliance with consumer-finance laws.
Bank and credit union incident notification. Federally regulated banks must now give 36-hour notification of material computer security incidents to regulators, and bank service providers must timely notify consumers of incidents that cause material service disruption. Starting in September, federally insured credit unions must report some cyber incidents to the National Credit Union Administration within 72 hours.
Whether mandated or not, these standards affect all businesses. Regulated companies must achieve reasonable compliance. But any company that fails to use cybersecurity initiatives — including active vendor and supplier management — will be left defending decisions to ignore evolving standards supported by lower-cost solutions.
And for those businesses planning to acquire or sell, cybersecurity affects deal value and time to close, and good governance generally signals sophistication and trust.
So in this and coming years, don’t forget the “C” in ESG and make cybersecurity a corporate governance priority.
