New SEC proposed rules will significantly increase public companies’ reporting of cybersecurity breaches and oversight practices.
The World Economic Forum has published global recommendations for boards of directors to help them comply with the new rules.
The key to effective oversight will be viewing cybersecurity as a strategic issue, understanding the economics of cyber risk, and incorporating cyber risk expertise into board oversight.
Good cyber strategy is good business strategy. For years, cybersecurity professionals have understood this. More recently, leading CEOs and independent directors have acknowledged it, and now regulators are proposing new rules to establish it.
On 9 March 2022, the Security and Exchange Commission (SEC, the US regulator charged with protecting investors and capital markets), proposed new rules that would significantly increase public companies’ reporting of both cybersecurity breaches and what executive management and the board are doing to mitigate cyber risk.
Given the SEC’s regulatory footprint, this action should be a wake up call to business leaders around the world. While the proposed rules are not yet in force, the SEC’s views on cyber risk raise important considerations for boards of directors, including management reporting, organization, and even composition.
What Are the New Cyber Risk Requirements for Boards?
In particular, board directors need to take note of the SEC’s proposals related to governance and board expertise. The SEC explicitly calls out cyber risk oversight as material to investors’ ability to understand a company’s strategy. Specifically, the SEC plans to ask: who on the board is informed of cyber risk issues; how they receive that information; how often the board considers cyber risk; and how cyber risk is integrated into business strategy, risk management, and financial oversight.
Potentially even more significant is the SEC’s new proposal to require disclosure of board members’ expertise in cybersecurity. This new requirement will be a signal to investors around the world that how a company views cyber risk matters at the highest level. It aims to put cyber expertise on the same footing as the mastery of business strategy, financial acumen, and leadership skills that have traditionally been the focus of board director recruitment. Since the subjects being reported tend to lead in terms of company focus, reporting on board expertise in cyber is likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders going forward.
Reporting on board expertise in cyber is likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders
These new requirements, nudging the business community toward better board reporting and greater board expertise on cyber risk issues, come at a crucial time. Currently, the pace and sophistication of cyber attacks against businesses is increasing at a breathtaking pace. IBM’s Cost of a Data Breach Report 2021 showed that last year average “data breach costs rose from $3.86 million to $4.24 million,” the highest average total cost in the report’s 17-year history. At the same time business leaders across the world recognize, as described in the World Economic Forum’s Global Risks Report 2022, that the risk of cybersecurity failure represents a critical global threat in both the short and long term. Yet, there is a disconnect between corporate leadership’s perception of their preparedness and resilience to cyber threats, and the facts on the ground as reported by cybersecurity professionals.
The Global Cybersecurity Outlook 2022, a Forum survey, found that “while 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies, only 55% of security-focused leaders surveyed agree with the statement.” The SEC proposed rule would require companies (at least those traded on US exchanges) to shrink that gap or explain themselves to their investors.
How Can Boards Prepare for the New Cybersecurity Rules?
Luckily, there is already good guidance available for companies and their directors to prepare themselves for the new rules. Distilling the best resources globally, there are clear steps that boards of directors can take so that, when the time comes, their SEC reporting reflects a forward-looking and resilient organization, led by an effective board that takes its oversight role on cyber risk seriously.
For the past six years, the Forum has published global recommendations for boards of directors that will help them comply with the new rules. As recommended in the Forum’s 2021 guidance, Principles for Board Governance of Cyber Risk (published in collaboration with the NACD and ISA), boards can effectively oversee cyber risk in six key ways:
See cybersecurity as a strategic business enabler.
Understand the economic drivers and impact of cyber risk.
Align cyber-risk management with business needs.
Ensure organizational design supports cybersecurity.
Incorporate cybersecurity expertise into board governance.
Encourage systemic resilience and collaboration.
Three of these important principles are directly relevant to the SEC’s likely new requirements:
1. Recognize Cybersecurity as a Strategic Business Enabler
Modern boards must recognize that cyber threats are persistent and strategic enterprise risks, and that good cybersecurity directly contributes to the creation and preservation of value. This requires a mindset shift and a new understanding of cyber risk – from an IT department cost to a strategic imperative that demands board attention. This understanding will help boards ensure cyber risk reporting is frequent and detailed (and structured in the best way to ensure effective board oversight) to reflect the effective cyber risk governance that the SEC and investors are likely to expect in the new reporting rules.
The SEC also specifically requires reporting on the designation of a chief information security officer (CISO) or, as the Forum termed this role in its 2017 guidance for boards, the cyber resilience “accountable officer.” As that guidance suggests, this officer should not only have the expertise required to understand cyber risk and its company-wide implications, but also sufficient authority, resources, and access to senior leadership to successfully promote cyber resilience.
2. Understand the Economic Drivers and Impact of Cyber Risk
One of the most important roles the board has in its cyber risk oversight is to review and approve the enterprise’s risk appetite. This means that the board must demand cyber risk indicators be presented in financial and economic terms so that they can be effectively compared to other risks and priorities in the company.
3. Incorporate Cybersecurity Expertise into Board Governance
The new reporting requirement on board members’ cyber expertise introduces the potential for a new type of executive to be considered for board service. However, the SEC specifically notes that “we do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members”. Knowledge of cyber risk issues is, therefore, still required of the board as a whole and cannot be foisted on a “cybersecurity board member”. On the contrary, board members with cyber expertise will be crucial partners in ensuring the continued education of the board as a whole and a key leader in holding management accountable to fully considering cyber risk.
In the end, good cyber risk oversight, such as that likely to be required by the SEC, is synonymous with good oversight in general. The SEC’s rules, while they reflect the shifting digital landscape, continue to promote the time-tested values of board governance: strategic thinking, good judgment, holding management accountable, and inclusion of relevant expertise. While the new rules will require some changes, boards already have the tools they need to make those changes effectively. Preparation for the new reporting rules is, effectively, preparation for overseeing a sustainable, resilient, and effective company in the 21st century.