# Opener

Highlights from our SEC Cyber Rules Webinar 

Published by Axio

Our recent roundtable webinar, titled “Boardroom Insights: Unveiling C-Suite Perspectives on SEC Cyber Rules Impact,” brought together industry leaders to discuss the implications of the Securities and Exchange Commission’s (SEC) cybersecurity disclosure rules.  

You can now listen to the entire recording 

The panel comprised distinguished figures, each contributing unique perspectives based on their expertise and experiences. 

Presenters 

  • Tom Glocer, Co-Founder and Executive Chairman of BlueVoyant; Lead Director of Morgan Stanley and Merck 
  • Meagan Fitzsimmons, Chief Compliance and ESG Officer at GXO Logistics 
  • Scott Kannry, Chief Executive Offer at Axio 
  • Nicole Sundin, Chief Product Officer at Axio 

Webinar Takeaways 

  • Insights into SEC Cyber Rules Implementation: 
  • Scott Kannry, CEO of Axio, elucidated the comprehensive development process of the SEC’s cyber rules over the past year, emphasizing the importance of providing enhanced insights for investors on cyber risk. 

“In many respects, the rules have been in development for almost 100 years, speaking back to the very existence of the SEC, which was chartered and began its own journey in 1933, in 1934, with the whole basis of the SEC being an organization that puts rules and frameworks and regulations in place to protect investors.” -Scott Kannry 

  • Necessity of Enhanced Communication and Disclosure 
  • Meagan Fitzsimmons, Chief Compliance and ESG Officer at GXO Logistics underscored the necessity of increased transparency, drawing parallels between cybersecurity disclosure and other regulatory trends such as emissions reporting and human capital management. 

CISOs should not be making these determinations on their own, they should not no one should be making these in a vacuum. This should include the finance team and the external reporting team, it should include the infoSec team and the broader IT team. It should include legal and compliance, and it should include the board as well. So it’s a matter of making sure companies have clear and well-communicated internal policies, and that they have clear incident escalation protocols. So when an incident occurs, who needs to be looped in? When do they need to be looped in? And what is that conversation? How do we make that materiality determination? And who is the person or the group of people who are making that final call, making sure that the right people are trained, and making sure that that we incorporate it into our broader risk management? – Meagan Fitzsimmons 

  • Efficient Cybersecurity Risk Management Strategies 
  • The panelists stressed the significance of an internal framework for effective cybersecurity incident response, emphasizing the importance of clear communication, well-defined roles, and escalated protocols within organizations. 
  • Quantifying and Managing Cybersecurity Risks 
  • The panel then delved into the varying approaches to addressing cyber risks across different organizations, emphasizing the importance of understanding the diverse nature of cyber events based on industry and technology usage. Tom Glocer emphasized the need to carefully understand how to align investments in cybersecurity defense with both risk appetite and spending limitations.  

“You need to have in place a framework for conducting the annual 10K disclosure. I think people can grasp the concept of the 8K incident disclosure. It’s a matter of being prepared, and having the necessary tools at hand, and many firms have disclosure committees that regularly review whether there is a need for disclosure of other 8K-type events. I believe the real challenge lies in the work related to the annual disclosure, which requires more preparation that hasn’t been done before, particularly in the first year. I think the board will want to meticulously review that language. Additionally, it boils down to whether the firm is investing enough and in the right areas. This leads us to the question of how to correlate that, which brings us to the discussion of whether to use a NIST framework or some other framework to assess the gaps against best practices. This can be particularly challenging for smaller companies. For instance, JP Morgan spends over a billion dollars a year solely on cyber defense, while other large money center banks spend hundreds of millions of dollars. It’s not reasonable to expect an average billion-dollar market cap company to allocate its entire market cap to cyber defense. So the question arises: how much is enough?” -Tom Glocer 

  • Importance of Materiality Disclosure in Cybersecurity Incidents 
  • Nicole Sundin, Chief Product Officer at Axio, emphasized the necessity of a clear framework for determining materiality in cybersecurity incidents, advocating for a mix of quantitative and qualitative factors for transparency and accountability. 
  • Mitigating Legal Risks and Enhancing Cybersecurity Preparedness 
  • The panel provided their take on the necessity of a comprehensive cybersecurity strategy, correlating expenditure with best practices and stressing the importance of integrating technical expertise with legal and compliance teams. 
  • Role of Cyber Insurance and Compliance in Boardrooms: 
  • The panel underscored the importance of informed decision-making to avoid legal issues, highlighting the significance of appropriate cyber insurance coverage aligned with an organization’s risk exposure. 

The webinar provided an in-depth exploration of the intricacies associated with the SEC’s cybersecurity disclosure rules, offering valuable guidance for organizations navigating the complex landscape of cybersecurity and compliance in the modern business environment. As regulatory frameworks continue to evolve, such collaborative discussions remain instrumental in shaping the future of cybersecurity governance and risk management for businesses worldwide.