The SEC and Boards’ Search for Cybersecurity Expertise

Cybersecurity is in the spotlight among boards of directors, with long-anticipated US Securities and Exchange Commission (SEC) rules expected to make a significant impact if passed. Security incidents typically trigger full-board involvement in cyber-risk oversight, but if new stringent SEC rules pass, cybersecurity may figure more prominently on board agendas.

The proposed rules will influence how cybersecurity is prioritized, overseen, and reported on. Boards may need to ramp up their cybersecurity literacy and shift assessments to focus more on quantification and oversight. Aside from more stringent reporting—regarding material incidents, cyber-risk management, and policies—the SEC would require that boards disclose and describe any cybersecurity expertise directors hold.

Concern about the prosecution of Uber Technologies’ former chief security officer (CSO) Joseph Sullivan, who was charged with failing to disclose a breach and a ransom paid during his tenure, has changed the views of CSOs (and CISOs) concerning their liability. Many companies have already acted on this through CSO/CISO inclusion in directors’ and officers’ insurance, standalone insurance, or other measures.

Meanwhile, 90 percent of companies have, to some degree, been impacted by ransomware in the past 12 months, up from 72.5 percent a year ago.

The Uncertain Extent of Expertise

It’s difficult to conclude from the draft proposal what the SEC means by “expertise.” After purposefully declining to define the term, the proposal includes examples such as: “prior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.”

Some boards have introduced assessments for current members to assess their capabilities and understanding from a cybersecurity perspective. Some examples of assessment statements, which directors would agree with on a scale of 1–5, include the following:

• The board feels confident in the company’s cybersecurity investments and its assumed cyber risk.

• The board understands its role in the event of an incident and the legal implications of cyber risks.

• The board understands where the company’s data sits and has implemented appropriate controls to manage unacceptable risks.

• The board feels confident that the company has well-defined cyber-risk ownership with cybersecurity as an enterprise-wide risk management issue.

Without more specific guidance, boards must decide whether consistent briefings from internal security executives satisfy this expertise clause or whether a cybersecurity expert must hold a permanent board seat. 

Restructuring Risk Management

Cyber-risk management typically includes bucketing risk according to how it is approached. In its Director’s Handbook on Cyber-Risk Oversight, NACD recommends that “discussions about cyber risk should include the identification of risks to avoid, accept, mitigate, or transfer, as well as specific plans for each approach.”

Deciding how much cyber risk to accept requires understanding what could be lost, how it could be lost, and what it could cost. This requires knowledge of data classification, effective controls, data backup, and recovery, as well as business continuity planning. Financial consequences, as well as capital allocation other than insurance for mitigation, may need to be assigned to each potential risk.

Alternatively, when investments in cybersecurity are effective and targeted, they can lead to savings in other risk-management categories, such as acceptance and transference. Zero trust approaches, for instance, can help organizations hide their attack surfaces from the open Internet, shielding them from some financial damage.

Achieving Expertise

The pace of change in cybersecurity means boards’ pursuit of expertise must be non-stop. Take the infamous Log4j vulnerability. Before threat researchers saw it used in the wild, it was virtually unknown. But due to the ubiquity of the affected software, the ease of exploiting it, and the ability Log4j gave hackers to conduct espionage campaigns, it’s been called one of the most critical vulnerabilities ever discovered. Artificial intelligence-enabled tools such as GPT-4 may only accelerate the pace of change.

Regular briefings from information technology security executives should form the baseline of boards’ education. There are signs of progress. NACD has found that 83 percent of boards surveyed agree that their understanding of cyber risk has significantly improved compared to two years ago. The next step is to proactively measure and mitigate cyber risk while boosting resilience. 

Short of appointing seasoned cybersecurity professionals to demonstrate expertise, here are recommendations for boards:

• Get up to speed on cyber risk. Audit and risk committee members shouldundergo the most intensive training by attending third-party training and earning certifications. Briefings from internal executive team leaders are invaluable, but they can be colored by bias and a desire to look good in front of the board. There is no substitute for impartial expertise.

• Become the expert. While absolute cybersecurity is unattainable, boards can tightly control risk by digging deep with security teams to understand their companies’ exposure. This includes supply chain risk, industry-specific threats, and the overall threat landscape.

• Guide the organization’s risk management strategy. After understanding cybersecurity fundamentals and the organization’s risk profile, it comes time to advise on risk mitigation strategies. Industry-accepted best practices such as multi-factor authentication, least-privilege access, and zero trust network architecture ensure maximum coverage. Enacting these controls is a process rather than a switch, but the journey should be reported on regularly by a CSO or chief information officer to ensure progress.

• Enlist outside assistance. Understanding processes, controls, and evidence of those controls is the only way to understand an organization’s vulnerability to threats. Two common ways of doing this are NIST-based assessments and enlisting red teams of external hackers to test the company’s defenses and explain how they overcame them.

Should the SEC inquire about cybersecurity expertise, however, it’s defined, your board should be prepared to explain yours. Taking these steps will ensure that you are.

Andy Brown is a member of Zscaler’s board of directors and CEO of Sand Hill East.