Under current reporting frameworks for public companies in the United States, no disclosures explicitly regarding cybersecurity are required. Yet that will soon change, and the U.S. director community will quickly need to perform cyber oversight in a differentiated way to comply with proposed SEC regulations expected to be finalized and announced in April 2023.
The Importance of Improving Boards’ Cyber Literacy
As boards begin the journey to cyber compliance, one of the first things they need to do is bring all members to a common understanding of the technology landscape. Everyone on the board needs to be familiar with and understand commonly used cybersecurity terms, concepts and frameworks, so that directors can correlate them to the economic decisions the board will be making to protect the enterprise.
Roughly speaking, there are five aspects of cyber readiness, all of which the board must be aware of:
In terms of immediate actions, we need to start with board education to bring everyone to the same cyber literacy level. We also need to assign which committee is going to own cybersecurity oversight. Boards must also ask themselves, “How ready are we to comply with the SEC regulations? Where are the gaps?
Additionally, we as board members should understand what the costs are and the budget impact of bringing our cyber systems up to a level that correlates to the cost and risk tradeoff of what our company can accept as the possible loss for our business. Every industry will have different areas of emphasis. For example, protecting intellectual property may not be as big an issue in a retail business as it is in a pharmaceutical business.
What follows are five steps for educating the board to perform cyber oversight in a way that not only complies with the SEC’s upcoming regulations, but empowers greater performance by the organization, with less risk.
One of the most basic foundational tools that is widely accepted and recognized for performing cyber oversight, and that boards need to understand, is the NIST framework.
The NIST Cybersecurity Framework, issued by the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce, is an oversight tool that breaks cyber risk into five categories and reviews the corporation’s cyber posture and readiness to protect the corporation from a cyberattack. This ensures that the appropriate methodologies, software tools and personnel are in place. The NIST framework is often used by boards as a scorecard tool to review cyber resilience and readiness, and to rate and identify areas of strength and areas for concentration of resources to improve.
According to NIST’s online learning resource, the NIST Cybersecurity Framework consists of three main components:
The Framework Core consists of three parts: Functions, Categories and Subcategories. There are five high-level Functions: Identify, Protect, Detect, Respond and Recover. These five Functions are not only applicable to cybersecurity risk management, but also to risk management at large. In the next level down are the 23 Categories that are split across the five Functions.
The Categories were designed to cover the breadth of cybersecurity objectives for an organization, while not being overly detailed. They cover topics across cyber, physical and personnel, with a focus on business outcomes.
In my research I found that NIST has released the “Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework,” which outlines potential significant changes to the Cybersecurity Framework for public review and comment. Management teams will likely want to ask their IT teams to study the proposal.
Actions for Boards:
Directors will be well served to do a review of the NIST Framework with the full board. This way the entire board has been briefed. You can then report this in your proxy and other documents.
Questions directors may want to raise with their CISOs:
The natural next step is having a cyber breach response protocol in place.
Think through the protocol in advance. Have the IT and/or cyber teams review the crisis management tabletop exercise they have run with the board. Ensure that they’re ready with external cyber forensic experts.
Actions for Boards:
As part of tabletop cyber planning, ask the CISO and/or tech team to run you through their post-breach protocol. For example, who is the outside council they would use? Who is the forensic consultant? Who on the communications team is in charge?
Additionally, the FBI has an organization called the ISAC (Information Sharing and Analysis Center). ISAC can tie together different attacks from different cyber criminals and help inform your company’s response. Be sure that your security team has a local contact at the ISAC. A good place to start is the FBI field office cyber supervisor.
The proposed SEC regulations will require disclosure of a material cyber incident within four days. Once a breach occurs, the clock has started. Ask yourself, “How prepared are we to do a materiality assessment and report?”
It becomes imperative that the board have a management plan for assessing materiality. This means that management needs to develop a new protocol for assessing cyber materiality. Ask management if there’s someone designated from the finance and IT teams to think through what some bracketed levels of materiality would be. Is there an expert at your law firm and at your outside accounting firm that should be part of this cyber materiality assessment?
Actions for Boards:
Ask the right questions of management’s materiality assessment framework, such as:
Another component of the proposed new SEC regulations is that company boards will need to have a cyber expert and will need to disclose the directors’ cyber credentials. In order to be considered an expert, a director will need to have clear cyber credentials: e.g., a clearance, experience working for a cyber security firm or in IT, or completion of adequate coursework.
Actions for Boards and Management:
The board may want to consider bringing in outside experts to give the entire board an orientation and briefing. Examples of external advisors include cybersecurity forensic firms, as well as outside accounting firms and outside law firms. I’m sure all boards are identifying which board members have cyber credentials and encouraging the rest of the board to quickly upskill in cyber issues.
Management may want to look at augmenting the IT and/or cyber team with external security managed service providers (MSP). MSPs add a level of independent 24/7 dedicated cyber monitoring that is often far more comprehensive than most corporations can afford.
The SEC has required regular and periodic updates on corporations’ cyber processes and policies. When the proposed SEC regulations are passed, this will become even more critical.
When it comes time to do your proxy, I recommend disclosing more rather than less.
Actions for Boards:
Address the following in your proxy statement:
Given the importance of cyber, I would suggest that boards begin these five key steps right away.