Cultivating cybersecurity culture: Ethics, compliance, and the SEC’s new disclosure rule

Emily Miner ( is Vice President, Advisory Services for LRN in Jacksonville, Florida, USA.

No organization today can afford to underestimate the threat posed by cybersecurity attacks. Recognizing the potential impact of such risks on investor decision-making, in July the U.S. Security and Exchanges Commission (SEC) ramped up its regulatory approach. Its new rules require public companies to report material cybersecurity incidents fast (within four days) and disclose their risk management processes every year in a standardized form.

Yet, it’s not enough for companies simply to meet the letter of these rules. If their cybersecurity compliance programs are to be truly robust, organizations must have a strong ethical culture that pervades all levels. Having the right ethos, values, and environment—as well as appropriate policies, procedures, and controls—ensures that employees not only know what the rules are but, crucially, that they also understand the underlying reasons behind compliance requirements.[1] It may sound obvious, but it’s often overlooked: an ethical culture helps people make appropriate decisions and take effective actions, making it a cornerstone of data security resilience in today’s challenging climate.

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field