New SEC Policy Drives the Need for Stronger Board Oversight of Cybersecurity

The US Securities and Exchange Commission’s (SEC) latest cybersecurity proposal would require publicly traded companies to disclose certain details about material cyber incidents, organizations’ cyber capabilities, boards’ cyber expertise, and how cybersecurity is governed by the board. In this way, the proposal could fundamentally alter board behavior and composition.

Since cyberattacks can pose serious threats to any organization’s reputation, private companies and nonprofits might also consider elevating board-level oversight of cybersecurity. As the SEC’s requirements raise public expectations about disclosure, nonpublic enterprises may have to follow suit to reassure stakeholders that personally identifiable information is protected and that digital objectives are still attainable.

Cybersecurity oversight is typically the purview of an audit committee. But given the pervasive and complex nature of technology—from the back office to the manufacturing floor to the customer experience—and persistent threat actors, boards now have to consider new ways to oversee how their companies contend with high-profile ransomware attacks, denial-of-service intrusions, man-in-the-middle attacks, zero-day exploits, and other threat actor behavior.

Just as Sarbanes-Oxley legislation expanded the responsibilities, and liability, of audit committees, the SEC’s recently proposed rules may require public boards to embrace change in unexpected ways. Realistically, audit committees, already overloaded and stretched thin, will be challenged to meet the new SEC requirements.

A new board function—such as a technology and risk committee—may be required to address cyber risk. In fact, Gartner predicted that by 2025, 40 percent of boards will have a dedicated cybersecurity committee overseen by a qualified board member. In addition, this forecast was made more than a year before the SEC published their latest proposed cybersecurity policies. These policies may accelerate a change in board composition, targeting companies where data is a strategic asset and technology is critical for operations.

The NACD Cyber-Risk Oversight Handbook points to five principles for board oversight of cyber risk, including:

• Directors should understand and approach cybersecurity as a strategic, enterprise risk, not just an IT (information technology) risk.

• Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

• Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

• Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

• Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

NACD is right in setting a high bar for overseeing cyber-risk management. If your board and management team are considering how to respond to the new SEC cybersecurity proposal, ask yourselves the following questions:

• How will we assess and monetize cyber risks and measure the material impact of cyber incidents?

• Are we experienced enough to objectively assess the company’s cybersecurity capabilities, remediation plans, and other policies and procedures for identifying and managing cyber risks?

• Do we have a deep understanding of the company’s extended enterprise architecture and supply chain, including insight into the risks posed by second-, third-, and fourth-level suppliers who are often the target of cyberattacks?

• Is the right cybersecurity governance discipline in place, for example, adequately documenting discussions and decisions that might be required as evidence in a lawsuit?

• How does our board stack up in light of the SEC’s requirement to disclose cybersecurity expertise among its members? Will the board have to consider adding members with the requisite qualifications?

• Can we objectively and constructively engage in cyber incident reporting required by the SEC, such as by establishing principles for what is meant by a “material” breach, and can we adapt to the new proposal’s time and manner of reporting requirements?

By asking the right questions and questioning the answers in the context of a technology and risk committee more focused on cybersecurity, board members can be invaluable in helping management address risks that reside in an increasingly challenging threat landscape.

Bob Kress is a managing director at Accenture Security, where he is the cochief operating officer and the global lead for quality and risk.