The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some respects, the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability…for now.
The SEC had proposed a rule that boards should disclose if they have a director with cyber expertise, by name and with regard to the nature of that expertise. This proposal would not have been a requirement to add director cyber expertise to the boardroom, just bring transparency to the abilities of corporate directors to govern this complex area. Indirectly this would have had the effect of taking this leading practice and making it an important regulatory advocated boardroom policy, i.e., adding directors to the boardroom with this skillset.
However CISOs did not get the regulatory support for an experienced advocate and teammate in the boardroom, and they’ll be forced to continue to largely go it alone — meaning the CISO’s job difficulty and accountability just went up. CISOs should continue to advocate for board reform in this area, and choose their jobs wisely. A boardroom without directors who have cyber expertise should be a warning sign for a CISO. Notably however, many boards are already adding and disclosing cyber experience and expertise on their boards and not waiting on regulators to define leading practices — as regulators are notorious lagging indicators.
The SEC also turned up the heat on management teams and their understanding of how complex digital business systems create value by adding an incident disclosure requirement now triggered by incident impact and its materiality. Previous disclosure guidance was based upon incident discovery as the trigger date. This disclosure was narrowed in scope in two ways, to focus disclosure on impact not the nature of the incident to avoid providing valuable information to attackers and by adding a disclosure delay if an incident is in the interest of national security or public safety.
This final provision now imparts significantly greater responsibility and accountability on management teams to understand the linkages between cybersecurity, their information systems and value in the eyes of a reasonable investor. Notably, the proposal for status updates on remediation or whether data were compromised was not adopted. Data is now a component consideration in the overall materiality analysis. Remaining in the final rules is the disclosure of cybersecurity incidents for third-party systems that companies use, putting a very challenging systemic risk disclosure consideration and requirement in place for the first time. Systemic cyber risk is a new dimension in enterprise risk very prevalent in complex digital business systems, and third-party risk is just one aspect of this issue.
A lengthy discussion of the definition of a cybersecurity incident also occurred on the SEC Open Meeting webinar between several of the SEC Commissioners. Defined as an unauthorized occurrence this would mean that risks which exist and are realized inherently from within the system, would not need to be disclosed. A failure of a critical part of a complex digital business system not caused by an attacker, would presumedly not meet this definition and not need to be disclosed. If a large SaaS vendor had an outage for example which impaired their revenue and impacted hundreds of thousands of users creating significant liabilities, this would not meet this definition. This is likely a shortcoming in the understanding of the true nature of cyber risks by regulators and the nature of complex digital systems.
Additionally, disclosure rules were passed that will increase transparency and accountability of managements’s processes for assessing, identifying, and managing material risks by requiring a description of them. The final rules retain a disclosure requirement around the use of third-party experts in cybersecurity to drive more transparency to in-house versus outsourced capabilities as a useful piece of information for investors.
Now that there are some rules in place from the SEC, the role of investors in cybersecurity governance reform will also begin to take on new meaning. As investors increasingly interact with boards on these issues, will they begin to exert more influence and drive reform to who on the board they will be interacting with? Will they be advocates for further digital innovation and cybersecurity governance reform and will they bring cyber expertise to the table. Will board’s recognize that they need to counter this expertise with boardroom cyber expertise of their own?
The SEC did not leave the boardroom entirely out of the final rules, although notably they did remove their proposed requirement of requiring disclosure of how the board integrates cybersecurity into its business strategy, risk management and financial oversight. It did leave in risk communications in how the board is informed of cyber risks and disclosure of committee responsibility for cybersecurity along with a general requirement around the board’s oversight of risks from cybersecurity threats. While this should generally mature the boardroom’s system of cybersecurity governance, as a system, it leaves some glaring holes which will impair the effectiveness of the overall system. However, leading boards are already moving well beyond these regulations.
Overall, the SEC Final Rules were soft on boardroom accountability, but hardened the requirement for management to understand the impacts of the digital business system to investor interests and their materiality. In the words of DDN Advisory Board Member Fay Feeney, “What they’ve done is put a foundation in place, where there was none before.” What’s built upon that foundation remains largely up to the self-regulatory initiatives of individual corporate boards.
While the SEC did not really step up to the boardroom leadership moment on cybersecurity governance at the same level that leading boardroom practices already are, it should be noted that the cyber expertise part of cybersecurity and board reform is not likely over. Several SEC Commissioner’s inferred as much on the call and in particular gave a shout out to the leadership of Sen. Jack Reed in championing board reform on this subject. Sen. Reed is the sponsor of S. 808 Cybersecurity Disclosure Act of 2021 which would force the SEC to issue final rules on the issue of boardroom cyber expertise. This Act, or a carbon copy of it has been proposed both in the House and Senate over at least that last three sessions of Congress.
If lawmakers aren’t giving up on director cyber expertise, leading boards should continue to set these standards and view the SEC’s Final Rules as the first steps on an important journey.
Read the full article here