For over a decade the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. The SEC is now on the verge of issuing binding regulations for all publicly traded corporations. Our assessment of these regulations are that they hold the potential of transforming corporate governance in ways not seen since the passing of the 2002 Sarbanes Oxley legislation.
Background
In 2011 the SEC issued guidance meant to help companies understand they should take responsibility for reducing cyber risk. This was guidance vice formal regulation, but it helped raise awareness and underscore for corporations that they had responsibilities to shareholders to seek to mitigate cyber risk. In 2018 the SEC issued new guidance to expand on and strengthen their previous guidance. But still, there is a difference in guidance and regulation, and many companies either did not notice or perhaps felt that their protections mitigated risk well enough, and the guidance was not that impactful.
In March 2022 the SEC published a draft set of proposed new rules that would make aspects of cybersecurity reporting and governance mandatory. These new rules may go into effect as early as April 2023.
The Proposed Rules
The proposed rules are far stronger than previous interpretive guidance. The stated objective for these rules is to strengthen investor ability to evaluate public company cybersecurity practices and incident reporting. The rules will ensure corporations provide consistent, comparable and useful information to shareholders in two major categories:
- Information on incidents that may have a material impact on shareholder opinions and
- Information on governance processes designed to mitigate cyber risks
In the first category, companies would have to disclose any materially relevant cyber incident. These would have to be disclosed within four days after the decision is made that they are materially relevant and will be disclosed on a Form 8K (the term materiality is used in the same way as it has been in previous SEC guidance on security: If an investor would consider it important to know, it is considered material).
In the second category, companies will have to disclose information on their strategies for risk management and governance. The SEC is looking for a lot more disclosure on these topics than they have in the past, including details of the cyber risk management program, descriptions of cyber risk assessment processes and more detail about how data is protected. This includes how risk is mitigated in third party relationships. This disclosure will now be part of corporate 10k reporting.
These items are significant for corporations and for the boards that govern them.
The rules also make it clear that corporate board will have new responsibilities in cyber risk management. The rules require corporations to disclose whether there is cyber expertise on their board and, if they do have cyber expertise, they must disclose the name or names of those individuals with that expertise.
The SEC did not, in their first draft, say how cyber expertise is precisely defined, but did offer several principles they believe should be considered to determine whether the board has cyber expertise. The principles articulated include these topical areas:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.
Recommendations
Boards should be talking with management now to make sure there is clarity on new reporting requirements for incidents and for cyber risk mitigation governance. A gap assessment should be conducted.
All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can rapidly evaluate board expertise relevant to the cybersecurity qualifications expected by the SEC and can recommend additional training for the full board or the board designated cyber expert.
Although not required by SEC guidance, many board have already decided to form cybersecurity committees so a few designated board members can work issues outside of board meetings. External advice can help the board evaluate whether this is the right approach for the mission and function of the board.
Concluding Context
Over the years the OODA Network has consistently attracted executives, experts and analysts all focused on making decisions in an environment when disruption, conflict and opportunity all simultaneously exist. Most who have joined the network have deep experience in the realities of operational cyber risk mitigation. For these leaders, meeting the needs of new SEC requirements for cybersecurity will almost come as second nature.
Corporate directors who seek to inform their decision-making around mitigation of systemic cyber risk can also apply to join the OODA Network.
OODA also helps clients in need of dedicated board cybersecurity services focused on helping Directors understand and manage the complexities of cyber risk. Our advisory team is comprised of only senior executives who have deep domain expertise combined with executive management functions such as serving on Boards of Directors or managing cyber risk as CEOs, CTOs, and CISOs. We help bridge the gap between Boards and their internal security management teams. Learn more at OODA Board Cyber Advisory Services
