What the SEC Can Tell Us About Board Governance of Cyber Risk
Last month, we launched a series of posts examining the Securities and Exchange Commission’s proposed rules requiring public companies to say more about handling cybersecurity. Our first post was an overview of what those proposals entail.
Today, let’s examine specifically the new disclosures companies would need to make about their corporate boards. After all, those proposed requirements would force boards to think more deeply about how they want their companies to address cyber risks — and that’s a worthwhile exercise for any organization, publicly traded or not.
So, what has the SEC proposed relating to corporate boards? Primarily, companies would need to disclose the following in their Form 10-K annual reports:
- Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
- The processes by which the board is informed about cybersecurity risks and the frequency of its cyber discussions;
- Whether and how the board (or board committee) considers cyber risks as part of its business strategy, risk management, and financial oversight.
We should stress that the SEC’s proposals wouldn’t require companies and their boards to take any of the steps listed above. Companies would only need to disclose whether their boards take any of those steps and also describe to investors why the approach they take works best for them.
There is, of course, an implicit pressure at work here. Any company that says its board doesn’t do the above — that it has no cybersecurity expert on the board, or that it doesn’t consider cybersecurity when setting business strategy — is likely to get a poor reception from the investing public. That board might also face greater legal liability should a cybersecurity disaster prompt investors to sue the board in court.
So if a company wants to make a favorable impression with investors, it must demonstrate that its board understands the cybersecurity issues facing the company and governs those risks accordingly.
That seems sensible enough in theory. What does it mean for boards in practice?
Boards Will Need Cyber Awareness
Quite simply, it means that boards will need to take a much more active approach to cybersecurity. They will need to treat cybersecurity as a risk to consider when developing a business strategy rather than a compliance obligation after setting the strategy.
First, boards will need to decide how they oversee cybersecurity risk. For example:
- Will the audit committee of the board be responsible for cybersecurity risk, some newly created risk committee, or the entire board itself?
- How often will that committee discuss cybersecurity? As part of every committee meeting, in special meetings dedicated to cyber, or on some other schedule?
- Does the board have directors with cybersecurity expertise? Or, if not, should the board recruit someone?
Ultimately, board directors themselves are responsible for answering such questions. CISOs and other senior executives can, however, offer their advice — and stress (diplomatically) that these questions need to be answered.
Boards will also need to understand how cybersecurity risks could affect strategy and vice-versa. For example, using independent contractors as a sales force might seem appealing for financial and operational reasons (say, as a cheaper way to expand into new markets), but that strategic decision might mean new demands for user access control, software patch management, and network design. Boards might also find that as the organization’s cybersecurity needs increase, so does the importance of defining clear roles and responsibilities for data breaches or third-party risk management.
And on top of all that, boards will still need all the usual assurance on specific compliance efforts. They will need reports on cybersecurity that contain clearly defined key risk indicators, summaries of major cyber incidents, progress on audits of third parties, and so forth. As much as the SEC’s proposed rules might stress cybersecurity’s strategic and operational risks, those compliance risks aren’t going away.
How CISOs Can Play a Role
However challenging these SEC proposals might be, they also present an opportunity for CISOs. Boards will need guidance and help to fulfill their governance duties, and CISOs will be uniquely positioned to provide that assistance. If CISOs ever wanted to elevate their profile with the board and within the organization generally — well, this is their chance.
That said, CISOs should prepare accordingly. Whether organizations will need to comply with SEC cybersecurity rules specifically, or boards just want to give cybersecurity the attention it deserves, CISOs will need several capabilities to succeed.
Foremost, CISOs will need to be empowered. That means support from the board and the CEO, with clearly defined responsibilities and reporting lines. Only then will CISOs be able to work confidently with leaders in operating units or management functions (HR, legal, finance, and the like) to assess cybersecurity risks and design smart, effective controls to keep those risks in check.
CISOs will also need a keen understanding of how compliance or risk management needs might affect business operations. Go back to our hypothetical above of an independent sales force. The VP of sales might love the concept, but the CISO would still need to explain how such a workforce might impose new demands on third-party risk management, access controls, data segregation, and related issues.
More broadly, the CISO will need to understand how cyber risks could pressure the organization’s business objectives to help the board tailor those objectives. For example, if the board wants to expand business globally, that might introduce a host of new privacy compliance obligations. If the board ultimately wants to sell the business to a strategic buyer, then being able to demonstrate the company’s cybersecurity posture will help to woo potential buyers. CISOs will need to “know the business” just as much as they know cybersecurity.
And to deliver on that role as a trusted adviser to the board, CISOs will need reliable information on the risks and controls within the organization. That could be anything from an accurate list of the third parties that can access confidential information to the latest update on weak controls that still need remediation to achieve regulatory compliance to the full scope of a specific cybersecurity crisis that requires immediate attention.
CISOs will need technology and tools to help them understand the organization’s entire, current cybersecurity posture — and then put that information into a business context that the board and C-suite can understand to make better business decisions together.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.