Security’s Seat at the Table: SEC’s New Proposal for Cybersecurity Risk Management for Boards

Security’s Seat at the Table: SEC’s New Proposal for Cybersecurity Risk Management for Boards 1200 628 N2K

Cybersecurity professionals are on the cutting edge of new cyber attack tactics, techniques, and procedures.  After all, the landscape changes quickly and a key part of the job is to know the latest moves adversaries are making to target and access the systems we’re responsible for protecting.  As a breed, we’re less often inclined to follow the slow-moving regulatory landscape to assess the impact laws and regulations have on our enterprises.  But the regulatory tide is shifting, and rulemaking bodies have started to more aggressively propose requirements that have the potential to have significant impact on a number of industries.  

For those not following closely, it’d be easy to miss the new rule the US Securities and Exchange Commission (SEC) is proposing that public companies enhance and standardize their disclosures around cybersecurity management, strategy, governance, and incident reporting.  While a good number of the proposed disclosure requirements center around policies and procedures on cyber risk management and reporting on incidents, the SEC goes even further to specifically propose disclosures of 1) the company’s board of director’s oversight of cybersecurity risk, and 2) management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures 

The overall goal of these proposed amendments is to better inform investors about a company’s cyber risk management strategy and implementation and allow them to better evaluate a company’s exposure to cyber risks as well as their ability to manage and mitigate them.  But what are the implications and considerations as the SEC looks to have a better understanding of both directors’ and managers’ ability to oversee and manage cyber risk?

The Role of the Board in Overseeing Cyber Risk

One of the goals of the proposed rule is that companies need to disclose material cybersecurity incidents within four business days.  This requirement is already problematic given the obvious questions about what will constitute the definition of material.  In addition to the periodic reporting requirements, the proposed rule also requires registrants to document their policies and procedures in overseeing and identifying cybersecurity incidents as well as to disclose whether any directors have cybersecurity expertise and what knowledge, skill, or other background in cybersecurity they have.

While the guidance doesn’t propose a specific definition of material or even expertise, it is clear that the SEC is underscoring the importance of boards’ ability to understand, oversee and manage cyber risk.  The tides are formally shifting to meet today’s corporate environment that requires business leaders to think critically about the cyber risks facing their organizations.  While not every board member needs to be a cybersecurity expert, it shows the SEC is serious about using disclosures to inform investors about a company’s ability to effectively identify and handle cybersecurity risks.  

The Role of Management in Overseeing Cyber Risk

The SEC also wants companies to submit reporting on management’s role and expertise in managing cyber risk and the prevention, mitigation, detection, and remediation of cybersecurity incidents.  While it may appear on the surface to be another disclosure requirement, it seems more likely these rules have been designed to pressure companies to take steps that will enhance their ability to handle cybersecurity risks effectively.

Whether it’s the boards or the management, it’s part of the reason it would be beneficial for companies to consider educating all their boards on how to effectively monitor and manage risk as part of their efforts to meet these emerging compliance requirements.  As of now, most companies at best will report on information like past jobs, degrees, or maybe some certifications.  But the other thing to consider is that as this goes into effect and as investors get smarter over time, providing a list of mere qualifications may not be enough.  Companies that are able to demonstrably measure and show improvement year over year in their people strategies, specifically the expertise of their people: their boards, their management, and their cybersecurity program support teams, will be those that provide the soundest investment assurances when it comes to handling cybersecurity threats.