by Christopher Hetner and John Frazzini*
New United States Securities and Exchange Commission (SEC) rulemaking makes cyber risk reporting and business resilience planning a key component of effective board governance. Earlier this year, the SEC released a proposed cybersecurity disclosure rule to advance risk management and governance towards the treatment of cyber risk.
As per the SEC: “The SEC is proposing rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are proposing amendments to require current reporting about material cybersecurity incidents. We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise if any, and its oversight of cybersecurity risk.”
Cybersecurity: a board responsibility
These recent developments heighten attention on the management and disclosure of cyber risks and incidents across US publicly listed companies. It also underscores the importance of advancing risk management, business resilience and governance efforts across the boardroom to ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact.
The World Economic Forum and National Association of Corporate Directors (NACD) Principles for Board Governance of Cyber Risk insights report finds that this is a Board level issue that needs to be proactively addressed, especially given the potential financial impacts of cyber risks.
As regulatory attention increases, it is essential for the board to ensure budgets allocated to cybersecurity risk align to effectively mitigate potential impact. The days where security budgets are set without business impact context are over.
The importance of communication
Effective communication is a cornerstone of positive outcomes in business. Developing a common language for discussing the complex issues of cyber risk is essential to achieving business resilience. This requires simplifying confusing, technical discussions loaded with nuanced security terms into understandable financial exposure analysis, which sheds light on the potential of how cyber-attacks endanger organizations financially in the short and long term.
For boards, It is not the technical part of cyber they need to become experts in (although technical awareness may help). They need to view cyber as a material business financial risk and need to understand the potential of its material impact on business.
This will ensure oversight that converts the technical conversation around cyber security to one of taking steps to establish business resiliency. On an ongoing basis, boards can engage in effective oversight by ensuring management develops strategy and aligns budget to demonstrate risk mitigation and financial exposure reduction.
When formulating their cyber resiliency plans, boards would do well to ask management questions like:
What is our potential financial exposure to cyber threats?
What cyber threats are most likely to have a major financial impact on our business?
How much financial exposure are we willing to accept across our enterprise and digital supplier ecosystem?
How can we align our budget, implement controls, develop strategy and optimize risk transfer to address our cyber risk exposure?
Are our digital initiatives being developed in a cyber-resilient way?
Cyber risk is a discussion for all c-suites
Chris Hetner, former senior cybersecurity advisor to the SEC and Nasdaq Center for Board Excellence Insights Council member, says that “It is essential for boards to continuously incorporate cyber risk management discussions related to the most effective way to reduce the financial and business impact connected with cyber risk. The conversation isn’t just for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). It is a broader c-suite discussion, which must be led by the Chief Financial Officer (CFO) and General Counsel.”
Hetner says that the failure of cybersecurity to leave a mark on the board is no longer, noting that: "The default tendency of executives is to rely on periodic tactical and technical reports to justify tech solutions that may address technical security issues.” He adds that: "Too often cybersecurity gets lost in translation when engaging board members and the c-suite. This leaves leadership unsure of precisely what they are funding and where residual gaps remain."
Chris and the NACD recently supported the launch of a groundbreaking service whereby boards are supported to more effectively provide oversight related to cyber risk exposure. The X-Analytics and NACD Cyber Risk-Reporting Service is an annual subscription that provides quarterly board reports highlighting the financial exposure attributed to an organization’s cyber risk. The platform relies on the same analytics used by leaders within the cyber insurance industry.
This new NACD service facilitates a broader c-suite conversation related to cyber risk and assists boards in engaging in discussions that transcend the technical aspects of cybersecurity.
Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. This is driven by a collective analysis that supports inclusive messaging and collaboration. The CISO is a key component of the enterprise cyber resilience strategy but is not the only actor in cyber anymore. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders.
The new SEC rules seek to engage senior management and the board in a meaningful way. These recent developments heighten attention to disclosures of cyber risks and incidents by US SEC publicly listed companies. They underscore the importance of advancing risk management and governance efforts across the boardroom community to ensure resources and investments are applied to those cyber risks that have the most material financial, business, and operational impact.
*Special Advisor for Cyber Risk, NACD and Board Member, Internet Security Alliance - ISA
**first published in: Weforum.org