Pro-Active Approaches to Prepare Your Board of Directors for New SEC Cyber Security Rules

Originally published by RegScale.

In March 2022, the Security and Exchange Commission (SEC) issued a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. In it, the SEC describes its intention to require public companies to disclose whether their boards have members with cybersecurity expertise: “Cybersecurity is already among the top priorities of many boards of directors and cybersecurity incidents and other risks are considered one of the largest threats to companies. Accordingly, investors may find disclosure of whether any board members have cybersecurity expertise to be important as they consider their investment in the registrant as well as their votes on the election of directors of the registrant.” In addition, the Harvard Business Review (HBR) recently published an article titled, “Is Your Board Prepared for New Cybersecurity Regulations?”. As stated by HBR, “Boards have a particularly important role to ensure appropriate management of cyber risk as part of their fiduciary and oversight role. As cyber threats increase and companies worldwide bolster their cybersecurity budgets, the regulatory community, including the SEC, is advancing new requirements companies will need to know about as they reinforce their cyber strategy.”

The march towards cybersecurity becoming a mandatory Board of Directors agenda item has been slow but inevitable. For many companies, cybersecurity is one of the most significant risks to their business’ long-term existence due to loss of customer trust and the financial consequences of a serious security breach or regulatory fine. It is only natural that investors should have insight and assurances into the state of a company’s cybersecurity when performing due diligence processes before an investment. The question is – how do you get a company’s cybersecurity “balance sheet” and even if you had it, how do you interpret it? What risks are acceptable, at what level were those decisions made, and what should be disclosed to investors?

This new regulation will push companies to formalize their cyber security oversight and force more transparency into the process. However, understanding the cyber balance sheet is a much harder problem than people anticipate. Today’s compliance and risk processes are typically point-in-time, paper-driven, and expensive to create and update. Just like the accounting balance sheet, the cyber security balance sheet is changing dynamically in real-time as new attacks are exploited, compliance frameworks are added/updated, and personnel change over time. Any Board of Directors who are relying on months or years old paperwork documentation to analyze and track their cyber security compliance and risk will be subject to inaccuracies, surprises, undue risk, and significant business impacts that will shake their investors should those risks be exploited in a way that results in fines or data breaches. With the upcoming SEC regulation, cyber security will now have a direct impact on bottom line.

Fortunately, the HBR article laid out three actionable recommendations to help get your Board of Directors prepared for their new oversight roles:

• Develop a common language for discussing the complex issues of cyber risk and resilience – cyber security has historically been a “dark art” full of confusing technical terms, Fear, Uncertainty, and Doubt (FUD) that make it hard for executives to understand what all of these fast moving threats really mean to the business. Take a simple modeling approach that allows the risk professionals to identify the main threats to the business, analyze the risk, develop key and compensatory controls to mitigate that risk, and then monitor changes in posture. Answer the basic questions of what are we most worried about as a business, how are we protecting ourselves, and how do we know if it is working. Risk should be simple to understand, updated in near real-time, and based on objective data.
• Keep cyber resiliency on the board’s agenda and in discussions with management – for many organizations, cyber security is a checklist-based approach to compliance. Figure out what you will be audited on, document your controls in a massive spreadsheet or Word document, defend it in an audit, and praise your creator that it is over and don’t touch it again until the next audit. This process is so painful and expensive to execute while at best it gives a basic point-in-time review of security and compliance. However, today’s threat environment is real-time, cloud infrastructure is ephemeral and ever-changing in nature, and the regulations themselves are constantly changing. This area has seen little innovation since 1995 when Word and Excel first took the world by storm. The reality is that static, point-in-time processes are not designed for a cloud-native world with dynamic threat actors who are constantly changing their attack methods and techniques. GRC processes must be real-time, API-enabled, self-updating, and available as Compliance as Code to support modern development workflows that support today’s business. A real-time risk and security posture is necessary to truly enable cyber resliency.
• Build wider bridges between cybersecurity executives and board members – as an industry, cyber security finally has a seat at the table. In most organizations, CISO’s get to update the Board quarterly or annually on the cyber security posture in the company. However, these briefings are too infrequent, often FUD-driven to obtain budget, and seldom put in real business terms that executives can understand at the Board level.

In summary, understanding the cyber balance sheet for companies is strategically correct but tactically difficult to execute. Legacy GRC tools, monolithic spreadsheets, and ancient Word documents are not sufficient to deliver the insights that Board of Directors will need to effectively execute their governance and oversight functions under the new SEC rule. Something new is needed that is real-time, collaborative, and easy to understand. In addition, the legacy processes are heavily manual and expensive to execute. In these uncertain economic times, tools that are cheaper to license, faster to deploy, and rely heavily on automation versus manual labor will not only help meet the SEC rule, they will also positively impact the bottom line.