“If you had to sign a cybersecurity certification similar to the financial reporting requirements for corporate officers under Sarbanes-Oxley (SOX) Section 302, could you do it?”
As my firm counsels boards and C-suite executives on cyber risk, we often begin by framing our conversation with that provocative question. How directors answer will indicate how confident they are in the cybersecurity posture of their business.
As an exercise, let’s review SOX Section 302. For the purposes of this discussion I have replaced the finance-related text with cybersecurity-specific language. These changes are bolded, and other elements that are critical SOX measures for proper oversight by officers and the board are underlined.
SEC. 302. CORPORATE RESPONSIBILITY FOR CYBERSECURITY REPORTS.
(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m,78o(d)), that the principal executive officer or officers and the principal cybersecurity officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the cybersecurity statements, and other cybersecurity information included in the report, fairly present in all material respects the cybersecurity condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report cybersecurity data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Now, how confident are you in the state of your cyberposture? Fortunately, to use the old exercise phrase, “this has been only a drill.”
However, multiple federal regulators, including the Securities and Exchange Commission, the Federal Trade Commission, and state agencies such as the New York Department of Financial Services, have become far more aggressive in holding corporate officers and board members accountable for cybersecurity oversight. And it is not out of the question that SOX-like requirements may materialize in the future, should another series of damaging breaches occur impacting consumers.
Regardless of whether regulators may soon require such specific attestations, significant discomfort with these questions at the board and C-suite level can indicate that cybersecurity is not being managed as an enterprise, twenty-first century business imperative. With sensitive customer information, employee data, operational processes, intellectual property, and trade secrets all on your networks, cybersecurity represents a real business and reputation risk.
The truth is that most corporate boards aren’t prepared for cyberattacks. It is an esoteric topic that remains elusive to most corporate directors.
NACD has been leading on this issue to ensure that its members have the resources to get up to speed, increase their cyberliteracy, and enhance cybersecurity oversight. I am proud that my firm has been able to partner with them to create an online education program specifically for corporate directors that leverages resources such as the NACD Cyber-Risk Oversight Handbook and the expertise of the CERT Software Engineering Institute at Carnegie Mellon University.
While no program or technology can guarantee that your organization will not be hit by a cyberattack, it is incumbent upon us all to learn what we need to know to ask the right questions and to close as many gaps as possible. As the regulatory environment continues to focus on our ability to provide effective oversight, doing nothing is a sure-fire way to find cyberthieves in your system as well as regulators, litigators, shareholders, and customers knocking on the boardroom door.
Tom Ridge is chair of Ridge Global, a risk management and cybersecurity advisory firm. An experienced corporate board member, he previously served as the first U.S. Secretary of Homeland Security and as the 43rd Governor of Pennsylvania.