At a recent audit committee meeting we were briefed by our Big Four accounting firm on cyber-risk. They referenced a two-page notification from the Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, sent to Directors on February 25, 2022 urging Corporate Directors to be mindful and prepared for cyber-risks during the evolving Ukraine crisis. (See link: Urgent Letter from the Director of CISA addressing NACD Members – February 25, 2022 (nacdonline.org)) The communication from Director Easterly expresses heightened cyber-risks emanating from Russian threat actors acting perhaps in retaliation against economic and other sanctions.
It’s highly unusual for a government agency (CISA) to reach out directly to corporate board members.
Additionally, on March 9th, 2022 the SEC issued a 129-page cyber regulation proposal. Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
What is particularly noteworthy is the brevity of the comment period – only 30 days – on wide-sweeping rules and requirements that will affect registrants and Corporate Directors alike, perhaps akin in its breadth to the Sarbanes-Oxley Act nearly twenty years ago (which had significant unforeseen burdens and and costs for corporations).
(See link to submit comments: SEC.gov | How to Submit Comments)
Another noteworthy factor is that the proposed regulations would affect both small companies, as well as large multinationals. Understandably so, given virtually all companies are connected by the internet and most supply chains include small dealers’, distributors and manufacturers, the proposed regulations do not exclude companies based on size. We all recall hearing about how the breaches of larger companies often originate from their less vigilant or resource challenged smaller companies that are part of their supply chain, or their distribution dealer and distributor network.
The new regulations pose questions to the board such as: Does the board have a cyber expert? What are their credentials and how was their expertise determined? How does the Board execute its oversight of cyber-risks? Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?
While the proposed regulation does not mandate which Board Committee should own cyber-risk in its remit, that remains a topic for Boards to contemplate. There are pros and cons to consider, and some observe that the audit committee may be too overburdened as it is, and do they have the time and expertise to oversee ever-growing cyber risks? Additionally, audit committees already must observe heightened financial reporting deadlines, so that is another consideration to be weighed by the Board.
Companies are also being asked, do you have a Chief Information Security Officer? Where does that person report? What are their credentials? Embedded in these questions is a subtle determination of whether a CISO should report independently of the IT organization, perhaps analogous to the way internal audit functions generally don’t report within the finance organization.
There are specific proposed regulations that are complicated, if not concerning. For example, if there is a material cyber incident the company would have only four days in which to publicly disclose it upon determining that the incident was indeed, material. Determining materiality involves both quantitative and qualitative evaluations; that process needs to be re-examined. Further the regulations require that any prior incident that doesn’t rise to the level of materiality may subsequently be deemed material when aggregated with other subsequent and similar cyber incidents. The process and protocols for this aggregation will require very thorough Board oversight and input.
There are also inferred questions are how cyber ready is the board? Do you have external expert briefings for the board? External experts doing penetration testing? What kind of internal training are you overseeing within the company? Do the Directors have external courses and credentials they are expected to receive in order to stay current?
Another issue that speaks to the Board’s oversight is, do you have adequate insurance and planning in the event of a cyber breach? This raises the question of the adequacy of the company’s cyber insurance, and whether the company is financially modeling cyber-risks based on varying probabilities, from an ordinary event all the way to “Black Swan” scenarios
As is widely reported, insurance companies are scaling back their coverage of ransomware attacks. The recent court case involving Merck’s cyber insurance claim arising from the impact of the NotPetya malware illustrates both the cyber-risk (media reports damages of over $1 Billion) and the difficulty in collecting on a policy claim. The Merck cyber insurance case remains in litigation, now nearly 5 years after the NotPetya attack.
In the new regulation all companies are covered in the proposed SEC regulation, regardless of sector You can imagine a traditional manufacturing company, for example, an iron smelting company, would say why does this affect me? Well, if you have seen some of the reporting lately, we have Russian mobs who are breaching the reporting agents of companies right before earnings reports so that with the insider information they can front run the stock market. There was a recent media report of an insider trading breach about eminent earnings reporting for public companies where the Russian mob made $80 million in illegal trades on the public market.
One of the things that strikes me as I ponder current events is that we are proposing such a broad sweeping set of regulations without clear ways that boards can satisfy the burden of the regulations. In doing this, are we set ourselves up for a flood of plaintiff litigation?
I would urge companies to quickly comment and push back hard on these broad regulations which put a huge burden on companies.
Of course, we need to do the right things as directors. Of course, we need to be cyber ready. We need to take this seriously, which presumably all directors already do. We are all diligent, engaged, highly committed stewards for all of our stakeholders. That said, we don’t need penalties, threats, huge bureaucratic regulatory burdens and an avalanche of plaintiff lawsuits.
The other take away is clearly we must all go on high alert as public company and private company directors and anticipate a serious threat of cyber-attack on our companies.
We need cyber training for all employees.
We also have to beef up our external third-party resources.
It’s probably a very opportune time to have an outside third-party cyber penetration testing firm review and do white and gray hat cyber exercises on your systems.
Evaluate your back up systems (assuming that there may be serious attack of the cloud) as well as look at the level of your current cyber systems and consider upgrading your security and cyber software testing.
It might also be a good time to look at building a relationship with a cyber managed services provider who can do external monitoring to augment what you currently have in house.
There is a lot to consider in these unprecedented times but I urge boards and companies to please consider commenting on the new SEC proposed regulation rapidly. I am sharing the link again here, so your voices may be heard. SEC.gov | How to Submit Comments