Three Effective Ways For Boards To Prepare For Imminent SEC Cyber Rules

The flurry of damaging hacks has prompted several regulators to tighten their requirements. Of particular note are the imminent new SEC Rules, which are expected to go into effect in April 2023. Among other requirements, the new SEC rules will require increased public disclosure of board cybersecurity expertise, material incidents and cyber risk oversight practices.

But as these important changes loom, many organizations are finding themselves woefully unprepared. A recent study painted a grim picture of cybersecurity governance with only about half of Fortune 100 companies having a director on their boards with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is more concerning; only 9% have cyber-savvy directors.

Given the stakes are so high, I think corporate directors need to up their game in boosting cyber risk governance. Here are three effective ways for boards to improve this situation.

1. Embed cyber risk governance into the bloodstream of the enterprise.

Sustained change requires executives to role model expected attitudes, beliefs and practices. The underlying premise is that whatever attitudes management exhibits will trickle down to the lower ranks of staff. To drive the right tone at the top, your board can mandate the establishment of a cross-business cyber risk governance forum.

This group, comprising executives from risk management, finance, legal, technology, product development, human resources and other relevant senior stakeholders acts on behalf of the board in overseeing cybersecurity risks, ensuring that:

• The cyber strategy supports strategic goals, mitigates key risks and ensures that the cybersecurity function is adequately resourced.

• The threshold for cyber incident reporting aligns with external obligations, and the board has deep visibility into critical vulnerabilities and management responses. This requires the board to create an environment where management is not tempted to filter the bad news as information flows up the hierarchical structures.

• An effective cyber assurance program is in place to pressure test defenses against realistic attack scenarios.

• The cybersecurity function maintains a disciplined approach to cyber transformation and is not side-tracked by superfluous ideas. This requires a careful balance between providing the right level of strategic support while not meddling with operational decisions.

The membership and mandate of this group must evolve as the business strategy, external obligation and cyber risk landscape change.

2. Elevate The Role Of The CISO.

It’s generally agreed that an organization can’t maximize its return on its investments or weather financial storms without a competent chief financial officer (CFO). Similarly, I feel corporate directors are deeply misguided if they think they can accelerate cyber transformation without an empowered chief information security officer (CISO).

But despite the significance of this function, most CISOs still feel like glorified security administrators. I see their views as often quickly shot down, their functions underfunded and their teams constantly stressed. It’s no wonder that a third of cyber security executives are considering leaving their current organization.

To address this plight, the board can ensure that the cyber chief role is transformed from a ceremonious one into an integral member of the C-suite with powers to veto business decisions that expose the organization to unnecessary or high risks.

The first step is promoting direct and candid conversations between the board and CISO. This provides a platform for the board to ask tough and precise questions and for the CISO to understand the board’s top business priorities and most pressing concerns. Elevating the role of the CISO also sends an unequivocal message that the organization deeply cares about cyber resilience, insulates cybersecurity budget from discretionary IT spending and gives the board clearer insight into the organization’s risks and mitigation strategies.

Conversely, a CISO that lacks organizational stature is more likely to hesitate to make important decisions, wasting time writing drawn-out risk papers for the board to endorse decisions.

The board can also strengthen its cybersecurity posture by asking several penetrating questions, including:

• What are the critical gaps around our high-value digital assets (crown jewels), and has management formulated clearcut remediation strategies?

• Do we have a clearly articulated cyber-risk appetite statement that enables management to safely embrace innovation without exposing the organization to excessive risks?

• Are our mandatory data breach reporting obligations clearly understood and tested against plausible data breach scenarios?

• Is our cyber security function adequately resourced to execute key initiatives, mitigate high-rated risks and scale with the rapidly evolving threat landscape?

• Does our organization embed security early and deeply into all digital transformation programs?

• Does our organization build legally enforceable contractual cyber security clauses into third-party contracts and implement robust assurance processes when it comes to high-risk suppliers?

• Do we have robust and independent assurance reviews to pressure-test the organization’s defenses against the most likely and impactful cyber risk scenarios?

3. Enlist the help of a digitally savvy executive.

To foster deeper cyber risk conversations, corporate directors can proactively up their cyber risk management smarts by taking up cyber risk management education. An example is the Cyber-Risk Oversight Program offered by the National Association of Corporate Directors (NACD), which demonstrates a director’s commitment to advancing cybersecurity literacy.

But let’s face it, cyber risk is too complex to be completely mastered through short executive courses. To keep the CISO accountable and honest, boards can enlist the services of a cyber-savvy expert. This fellow board member or external consultant can engage at a much deeper level and uncover critical cyber blind spots.

There is an added advantage. Research shows that companies with digitally savvy boards outperform their peers on key metrics, including ROA and market cap growth. But these relationships must be handled with care because experts with little knowledge of the business can recommend unrealistic “best practices”—frustrating the CISO and fueling board management mistrust.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.