New SEC Cybersecurity Rules Focus on Board Accountability

July 18, 2022

Gone are the days when cybersecurity was just an information technology (IT) problem. Cyber risk is central to business risk, making it a board-level issue. For the first time, a proposed rule set from the US Securities and Exchange Commission (SEC) will require virtually all commission registrants to provide a series of cybersecurity disclosures within mandated annual and quarterly reporting. This decision is a nod to the importance of cybersecurity standards and what investors need to know to make an informed decision.

 

There have been several cybersecurity-centered proposals for registered investment advisors and funds of late, including the Cybersecurity Disclosure Act of 2017, the Strengthening of America Cybersecurity Act in March 2022, and the Better Cybercrime Metrics Act that just passed last month. This proposed rule drives standardization around reporting and what constitutes an incident or a breach as essential to safeguarding business against attackers.

 

Specifically, the SEC’s proposed rules will:

 

  1. Require current reporting about material cybersecurity incidents within four business days.
  2. Require periodic disclosures (Form 10-K) regarding, among other things,
  3. a registrant’s governance, policies, and procedures to identify and manage cybersecurity risk;
  4. management’s role in implementing policies and procedures;
  5. the board of director’s cybersecurity expertise, if any, and its oversight of cyber risk; and
  6. updates about previously reported material cybersecurity incidents (Form 10-Q).

 

Note the importance the rule set places on board directors. By mandating cybersecurity information disclosure via the 10-K, there’s a big focus on oversight and “management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies.”

 

The SEC is finally driving standards to help establish the critical role of corporate governance in security across all sectors. With the proposal focusing on themes of cyber risk, governance structure, and metrics and analytics to fuel oversight, here are some questions you should be asking now to ensure readiness for the forthcoming rule:

 

On Cyber-Risk

 

  • Which directors are responsible for the oversight of cyber risks?
  • How is the board informed about cyber risks?
  • How frequently does the board discuss cyber risks?
  • How does the board consider cyber risks within the context of the company’s business strategy?

 

On Governance Structure

 

  • Which management positions or committees are responsible for managing the company’s cyber risk and what are the qualifications of those responsible?
  • Does the company have a chief information security officer (or someone in a similar position) and who does that individual report to?

 

On Metrics and Analytics

 

  • How do the responsible managers and committees monitor and remain informed about cyber incidents and threats?
  • How frequently do responsible individuals report to the board on cyber risks?

 

Will the rule set come to pass? Yes, in this writer’s humble opinion. I recommend we treat the proposed role as a coming mandatory regulation and start preparing now. Cybersecurity should be looked at as an enabler of any company’s growth and digital transformation strategy, with cyber resilience critical to a company’s future success. While the details of the final rule may vary slightly, the principles of risk management, governance, resilience, and attention to third party risk are and will remain best practice areas for cybersecurity programs.

 

In addition, penalties for violations will likely be steep. Recent SEC examples of penalties for smaller scale control failures are numerous and total well over $1 million in fines. Additionally, as the proposed rules are tied to annual investor reports, failure to adhere to them will also impact an organization’s brand and reputation and can skew investment and credit ratings.

 

The bottom line is that cybersecurity must encompass an entire organization from the boardroom to the mailroom to be effective against the increasingly sophisticated threats we’re seeing today and will continue to see in the future. The SEC’s proposed rules are an important step in securing corporate registrants’ success.

 

This article originally appeared on the NACD BoardTalk blog. Reprinted with permission.
https://blog.nacdonline.org/posts/sec-cybersecurity-board-accountability

James Turgal
Vice President of Cyber Risk, Strategy and Board Relations | Optiv
James Turgal is the former executive assistant director for the FBI Information and Technology Branch (CIO). He now serves as Optiv Security’s vice president of cyber risk, strategy and board relations. James has personally helped many companies respond to and recover from ransomware attacks and is an expert in cybercrime, cyber insurance, cybersecurity, ransomware and more.

James draws on his two decades of experience investigating and solving cybercrimes for the FBI. He was instrumental in the creation of the FBI’s Terrorist Watch and No-Fly Lists.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.