Article

Cybersecurity governance and the board’s role

Proposed SEC rules seek to address risk management gaps across the enterprise

Jul 07, 2022

Key takeaways

A disconnect often exists between boards and cybersecurity leadership, creating a potential governance gap.

If proposed new SEC cybersecurity rules are enacted, some boards would require critical changes to address vulnerabilities.

The process requires a major commitment and potential expenses, but the board can anticipate better visibility into risks.

#
Risk consulting Cybersecurity consulting SEC matters Cybersecurity

The U.S. Securities and Exchange Commission (SEC) has proposed amendments to its cybersecurity rules for public companies, aiming to strengthen cybersecurity oversight, governance and incident disclosure. The proposed rules would enhance cybersecurity protocols and require some boards to make structural and cultural changes to address governance gaps and vulnerabilities.

A governance gap between boards and cybersecurity leadership

Similar to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, the proposed amendments seek to bridge the common disconnect between boards and cybersecurity leadership. While boards are typically composed of seasoned business leaders, cybersecurity expertise is often lacking. Although it is increasingly common for an organization’s chief information security officer to brief the board on a quarterly basis, the CISO often reports with a technical perspective that members may not completely understand, let alone know how to evaluate in the context of other corporate governance needs.

To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk.
Rod Hackman, Board member

In addition, board communication is often limited to affirming technologies previously implemented or reviewing key performance indicators on issues already addressed—while downplaying potential risk to organizational assets. These gaps in board communication can lead members to ask cybersecurity leadership the wrong questions and make ineffective requests and recommendations, exacerbating risks to the business.

“To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk,” says Rod Hackman, a member of the board of directors of an SEC-reporting company who leads the board’s cybersecurity oversight function. “Until the board and CISO meet in the middle and begin to speak the language of business, and understand cybersecurity as a business risk, effective governance will continue to suffer.”

Boards must also understand that the SEC proposed amendments are not exclusive and other legislation, such as CIRCIA, may have overlapping disclosure requirements for some organizations–which can create conflicting reporting directives.

Practical actions for boards to close the gap

To ensure cybersecurity is a priority for both your board and your management team, communication between the groups must be focused and transparent. Boards should reject the preconceived notion that cybersecurity is too difficult to deal with. According to Hackman, “The first step toward better governance is to engage management and likely outside advisors to arrive at a common understanding of how the business works by identifying and mapping all operational and support elements of the business, both internal and external. What are the most important assets, and how do they interact? What threatens them? How will the business respond if threats are realized?”

Assets, in this context, relate to a myriad of aspects that comprise the organization, including the:

  • Value of its data, both structured and unstructured
  • Efficacy of its processes, particularly those that contribute to customer experience
  • Safety of employees, products and in some cases, customers
  • Availability of products and services

Cybersecurity threats affect a complex array of organizational assets that businesses often don’t appreciate in totality due to the failure to align information, such as:

  • Process flows for financial compliance
  • Business capability models as a basis for broad technological change
  • Asset registries for compliance
  • Network topologies to support IT management activities

Disclosing details of a material cybersecurity incident during an active investigation will present new challenges, including:

  • Establishing materiality of the cyber incident to determine if disclosure is warranted
  • Getting a clear understanding of what information will be disclosed and to whom
  • Ascertaining if critical company data was improperly accessed, stolen or altered in any way
  • Having appropriate expertise on the company board to provide oversight

Mapping cyber risk to organizational assets greatly enhances a board’s ability to provide better oversight and gives the board peace of mind knowing investments in cybersecurity are effective and align with business objectives.

Steps your board can take to address gaps in communication and governance within your organization include:

Determine organizational perceptions of cybersecurity. A secure organization is increasingly a stated desired outcome in organizational strategy. Board members should gather information to assess whether cybersecurity is a shared objective among executive management—not merely the concern of a security or IT department. A board should also understand on what basis management determines the resiliency and security of the organization’s assets.

Obtain a full understanding of your organizational assets. Board members should request a consolidation and summary of organizational assets from management, assessed by business impact and reconciled to security control/framework(s). This information will help the board and management develop a common understanding of cybersecurity and provide both groups with insight into the organization and its underlying technology. This analysis promotes ownership by both the board and management because it creates a complete picture of the enterprise. The potential cost of misunderstanding the risk environment compels a high level of visibility and transparency.

Gain clarity on cyber disclosure requirements for your organization. Board members should understand and challenge management’s procedures for assessing the materiality of a cyber incident along with the process of disclosing suitable information within 72 hours. The process should ensure understanding of competing disclosure requirements of multiple regulatory authorities and consider the risk of disclosing inaccurate information.

Achieving these objectives will require a substantial commitment from many boards, and potentially a change in board culture. Companies should also anticipate additional expenditures on internal and external resources to meaningfully address the SEC’s proposed requirements if they are enacted. On the upside, board members can anticipate better visibility into cybersecurity risks, and management teams can address those risks more proactively.

“Regulators and the marketplace are forcing change to close the cybersecurity governance gap. The days of simply attending a board meeting four times a year after reviewing board materials prepared by management are over,” says Hackman.

The takeaway

Boards often do not have a grasp on the risks that cybersecurity poses to the business—and delegating cybersecurity management solely to the IT department does not work anymore. Without an effective framework in place, many boards may be unprepared for a cyberattack. Your board should proactively evaluate and adjust its processes to ensure full insight into cybersecurity risks and their potential effect on investors.

The good news is, although it is complicated and oversight is challenging, cybersecurity is manageable if your board is open to better understanding it and is willing to dedicate the resources to support it.

RSM contributors

Related insights

Subscribe to Critical Insights for Board Members

We work to understand the responsibilities of public and private boards of governance and share our views on what matters—for board members and those who report to them.