August 23, 2022
August 23, 2022
Earlier this year the US Securities and Exchange Commission (SEC) released proposed cybersecurity disclosure rules to advance risk management and governance regarding cyber risk. To quote the SEC, “The Securities and Exchange Commission… is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.”
These recent developments heighten attention to the management and disclosure of cyber risks and incidents by public companies. They also underscore the importance of advancing risk management and governance efforts across the boardroom community that ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact.
Below, recent SEC developments and what they mean for board directors, ways companies can prepare while they wait for the specifics of the expected SEC cybersecurity rule, and how companies can contextualize cyber risks and incidents with business, financial, and operational impact are discussed.
As cyber threats advance, companies worldwide are bolstering their cybersecurity budgets. Meanwhile the regulatory community, including the SEC, is advancing new requirements for companies to effectively manage and govern cyber risk. For companies, this requires significant investments to reduce cyber risk while maintaining a compliant cybersecurity program. Given the rate of cyber losses, it is more critical than ever that clear and effective strategies are established to counterattack the impacts of cyber risk. Clarifying cyber-risk engagement in the boardroom is the first step.
Effective communication is a cornerstone of positive outcomes in business. Developing a common language for discussing the complex issues of cyber risk is essential to achieving business resilience. This requires simplifying confusing, technical discussions loaded with nuanced security terms into precise economic analysis that shows how cyberattacks endanger organizations financially in the short and long term.
Building resiliency in an organization requires proper oversight from the boardroom based on a clear plan built on business and economic analysis. Industries such as insurance are basing cyber-risk evaluations in their underwriting standards on established and understandable financial exposure analyses. In doing so, insurance industry players are shifting the cyber conversation from a highly technical and ambiguous security one to one where businesses can understand and effectively manage their financial exposure in relatable business terms. If financial exposures from cyber threats are clear, boards will find it easier to align cybersecurity strategies with economic cyber-risk metrics.
Developing the organization’s cyber-risk appetite levels in financial terms, based on its unique risk profile, and defining effective remediation and mitigation steps to reduce financial exposure are important initial steps when planning for cyber resiliency. Boards should keep certain items on the cyber resiliency agenda in their discussions with management. On an ongoing basis, the board should keep abreast of how management uses return-on-investment analysis to align the cybersecurity budget to financial exposure reduction. So, too, should boards oversee the steps that are taken to practically implement the cybersecurity strategy.
When formulating their companies’ cyber resiliency plans, boards would do well to ask management questions such as the following:
As per the proposed SEC cyber rules, companies are now required to disclose the substance and nature of board oversight of a registrant’s cyber risk, the inclusion and exclusion of management from the oversight of cyber risks, and how the implementation of related policies, procedures, and strategies impacts an investor’s ability to understand how a registrant prepares for, prevents, or responds to cybersecurity incidents. Moreover, companies are required to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies. Specifically, where pertinent to board oversight, registrants are required to disclose:
Formulating and implementing cyber resiliency plans, focusing on aligning these plans with financial exposures, and understanding how the board and management effectively oversee cyber risk and can improve will help any board prepare for SEC rules likely to come.
Chris Hetner served as the senior cybersecurity advisor to SEC chairs White and Clayton and currently is a senior advisor at The Chertoff Group, a special advisor for cyber risk at NACD, and a member of the NASDAQ Center for Board Excellence Insights Council.
NACD: Tools and resources to help guide you in unpredictable times.