Getting the board cyber ready: Key takeaways from SEC's new cyber disclosure rules
The new regulations pose questions to the board such as: Does the board have a cyber expert? What are their credentials and how was their expertise determined? How does the board execute its oversight of cyber risks? Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?
Companies are also being asked: Do you have a chief information security officer? Where does that person report? What are their credentials? Embedded in these questions is a subtle determination of whether a CISO should report independently of the IT organization, perhaps analogous to the way internal audit functions generally don’t report within the finance organization.
The wide-sweeping rules and requirements will affect registrants and corporate directors alike, perhaps akin in its breadth to the Sarbanes-Oxley Act nearly twenty years ago (which had significant unforeseen burdens and costs for corporations).
Another noteworthy factor is that the regulations would affect both small companies, as well as large multinationals. Given the fact that virtually all companies are connected by the internet and most supply chains include small dealers, distributors and manufacturers, it’s understandable the regulations do not exclude companies based on size. We all recall hearing about how the breaches of larger companies often originate from their less vigilant or resource-challenged smaller companies that are part of their supply chain, or their distribution dealer and distributor network.
While the regulation does not mandate which board committee should own cyber risk in its remit, that remains a topic for Boards to contemplate. There are pros and cons to consider, and some observe that the audit committee may be too overburdened as it is — do they have the time and expertise to oversee ever-growing cyber risks? Another consideration to be weighed by the board is that audit committees already must observe heightened financial reporting deadlines.
There are specific regulations that are complicated, if not concerning. For example, if there is a material cyber incident the company will have only four days in which to publicly disclose it upon determining that the incident was, indeed, material. Determining materiality involves both quantitative and qualitative evaluations; that process needs to be re-examined. Furthermore, the regulations require that any prior incident that doesn’t rise to the level of materiality may subsequently be deemed material when aggregated with other subsequent and similar cyber incidents. The process and protocols for this aggregation will require very thorough board oversight and input.
There are also inferred questions: How cyber-ready is the board? Do you have external expert briefings for the board? External experts doing penetration testing? What kind of internal training are you overseeing within the company? Do the directors have external courses and credentials they are expected to receive in order to stay current?
Another issue that speaks to the board’s oversight is determining if there’s adequate insurance and planning in the event of a cyber breach. Is the company financially modeling cyber risks based on varying probabilities, from an ordinary event all the way to “Black Swan” scenarios?
In the new regulation, all companies are covered, regardless of sector. Imagine a traditional manufacturing organization, like an iron smelting company, might wonder how this new regulation affects them. Media outlets are currently reporting that Russian mobs are breaching the reporting agents of companies right before earnings reports, and using that insider information to front run the stock market. A recent media report detailed an insider trading breach resulting in an estimated $80M in illegal trades on the public market.
With this broad sweeping set of regulations, but without clearly defined ways in which boards can satisfy the burden of the regulations, are we setting ourselves up for a flood of plaintiff litigation?
Of course, we need to do the right things as directors. Of course, we need to be cyber-ready. We need to take this seriously, which presumably directors already do. We are all diligent, engaged, highly committed stewards for all of our stakeholders. That said, we don’t need penalties, threats, huge bureaucratic regulatory burdens and an avalanche of plaintiff lawsuits.
Clearly, we must all be on high alert as public company and private company directors and anticipate a serious threat of cyberattacks on our companies. Things we should be doing:
- Provide cyber training for all employees
- Increase our external third-party resources
- Have an outside third-party cyber penetration testing firm review and do white and gray hat cyber exercises on your systems
- Evaluate back-up systems (assuming that there may be serious attack of the cloud), as well as look at the level of your current cyber systems and consider upgrading your security and cyber software testing
- Build a relationship with a cyber managed services provider who can do external monitoring to augment what you currently have in house
There is a lot to consider in these unprecedented times, but I urge boards and companies to start preparing now for compliance with these new rules.
For more on how your board can sharpen its cyber governance — in areas ranging from materiality to proxy season to the NIST framework — download this white paper, or enroll in the Diligent Cyber Risk & Strategy Certification course today.