Here’s what regulators will want boards to know about cybersecurity

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Christopher Hetner, Special Advisor for Cyber Risk, NACD, John Frazzini, Board Member, Internet Security Alliance – ISA

  • Cybersecurity is no longer an issue reserved strictly for the IT or compliance executives, it is an issue that impacts all board members.
  • The SEC are increasing their requirements for cybersecurity disclosures and so boards must be fully informed and aware of cyber risks and responses.
  • The new NACD Cyber Risk-Reporting Service will help companies navigate their regulatory responsibilities and real time cyber risks.

New United States Securities and Exchange Commission (SEC) rulemaking makes cyber risk reporting and business resilience planning a key component of effective board governance. Earlier this year, the SEC released a proposed cybersecurity disclosure rule to advance risk management and governance towards the treatment of cyber risk.

As per the SEC: “The SEC is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise if any, and its oversight of cybersecurity risk.”

Board responsibility

These recent developments heighten attention on the management and disclosure of cyber risks and incidents across US publicly listed companies. It also underscores the importance of advancing risk management, business resilience and governance efforts across the boardroom to ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact.

The World Economic Forum and National Association of Corporate Directors (NACD) Principles for Board Governance of Cyber Risk insights report finds that this is a Board level issue that needs to be proactively addressed, especially given the potential financial impacts of cyber risks.

As regulatory attention increases, it is essential for the board to ensure budgets allocated to cybersecurity risk align to effectively mitigate potential impact. The days where security budgets are set without business impact context are over.


What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

Contact us for more information on how to get involved.

The importance of communication

Effective communication is a cornerstone of positive outcomes in business. Developing a common language for discussing the complex issues of cyber risk is essential to achieving business resilience. This requires simplifying confusing, technical discussions loaded with nuanced security terms into understandable financial exposure analysis, which sheds light on the potential of how cyber-attacks endanger organizations financially in the short and long term.

For boards, It is not the technical part of cyber they need to become experts in (although technical awareness may help). They need to view cyber as a material business financial risk and need to understand the potential of its material impact on business.

This will ensure oversight that converts the technical conversation around cyber security to one of taking steps to establish business resiliency. On an ongoing basis, boards can engage in effective oversight by ensuring management develops strategy and aligns budget to demonstrate risk mitigation and financial exposure reduction.

When formulating their cyber resiliency plans, boards would do well to ask management questions like:

  • What is our potential financial exposure to cyber threats?
  • What cyber threats are most likely to have a major financial impact on our business?
  • How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?
  • How can we align our budget, implement controls, develop strategy and optimize risk transfer to address our cyber risk exposure?
  • Are our digital initiatives being developed in a cyber-resilient way?

Cyber risk is a discussion for all c-suites

Chris Hetner, former senior cybersecurity advisor to the SEC and Nasdaq Center for Board Excellence Insights Council member, says that “It is essential for boards to continuously incorporate cyber risk management discussions related to the most effective way to reduce the financial and business impact connected with cyber risk. The conversation isn’t just for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). It is a broader c-suite discussion, which must be led by the Chief Financial Officer (CFO) and General Counsel.”

Hetner says that the failure of cybersecurity to leave a mark on the board is no longer, noting that: “The default tendency of executives is to rely on periodic tactical and technical reports to justify tech solutions that may address technical security issues.” He adds that: “Too often cybersecurity gets lost in translation when engaging board members and the c-suite. This leaves leadership unsure of precisely what they are funding and where residual gaps remain.”

Chris and the NACD recently supported the launch of a groundbreaking service whereby boards are supported to more effectively provide oversight related to cyber risk exposure. The X-Analytics and NACD Cyber Risk-Reporting Service is an annual subscription that provides quarterly board reports highlighting the financial exposure attributed to an organization’s cyber risk. The platform relies on the same analytics used by leaders within the cyber insurance industry.

This new NACD service facilitates a broader c-suite conversation related to cyber risk and assists boards in engaging in discussions that transcend the technical aspects of cybersecurity.

Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. This is driven by a collective analysis that supports inclusive messaging and collaboration. The CISO is a key component of the enterprise cyber resilience strategy but is not the only actor in cyber anymore. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders.

The new SEC rules seek to engage senior management and the board in a meaningful way. These recent developments heighten attention to disclosures of cyber risks and incidents by US SEC publicly listed companies. They underscore the importance of advancing risk management and governance efforts across the boardroom community to ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact.

Speak your Mind Here

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: