# Opener

SEC Pushes for Stronger Cyber Governance

Published by Axio

The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives organizations approximately five months to confirm compliance plans before the new disclosure requirements take effect in mid-December. One of the important elements of the new disclosure requirements emphasizes the need for strong cyber governance.  Specifically, applicable public organizations will have to describe the company’s governance of cybersecurity risks as it relates to:

  • The board’s oversight of cybersecurity risk, including identification of any board committee or subcommittee responsible for oversight and the process by which they are informed about cyber risks.
  • Management’s role and expertise in assessing and managing material cybersecurity risk and implementing cybersecurity policies, procedures and strategies.
  • Specific disclosure of any management positions or committees responsible for assessing and managing cyber risks, including discussion of their relevant expertise.

With the exponential growth of digitalization and the increasing sophistication of cyber-attacks, boards are under tremendous pressure to care about cyber risk now more than ever. A cyber breach can result in significant financial loss, reputational damage, and legal liabilities, causing irreparable harm to an organization. Boards are responsible for ensuring that their organizations are adequately prepared to deal with cyber threats.

Here, we explore the board’s role in cybersecurity governance, share a few notable real-world board stories, and highlight the benefits of being prepared by using a risk management platform for the upcoming SEC regulations.

With some thoughtful changes in how to approach cybersecurity governance, boards can develop a meaningful cybersecurity strategy and provide the necessary resources to the appropriate teams to mitigate cyber risks.

The role of the board in cybersecurity governance

Cybersecurity governance is essential to every organization, regardless of its industry. In highly regulated industries such as financial services, healthcare, and energy, specific cybersecurity regulations have been established to ensure the protection of sensitive information and critical infrastructure. For instance:

  • Financial Services Industry
    • Cybersecurity governance in the financial services industry is highly regulated to prevent data breaches, cyber-attacks, and fraud. The Payment Card Industry Data Security Standard (PCI DSS) is one such regulation that outlines the requirements for protecting credit card information.
  • Healthcare Industry
    • The healthcare industry is highly regulated due to the sensitivity of patient data. The Health Insurance Portability and Accountability Act (HIPAA) outlines the requirements for protecting patient data, including electronic medical records (EMRs).
  • Energy Industry
    • The energy industry is also highly regulated due to the critical nature of its infrastructure. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards specify cybersecurity requirements for protecting the electric grid and other energy assets.

The board’s involvement in cybersecurity governance has always been prominent. But it should not be limited to only ensuring a minimum level of compliance (as mentioned in the above examples), approving the budget for cybersecurity initiatives, or receiving a quarterly report on cybersecurity incidents. Instead, the board should actively ensure that the organization is adequately prepared to respond to cyber threats. This involves:

  • Understanding the organization’s risk profile
  • Ensuring that the organization has the appropriate controls in place
  • Regularly reviewing the organization’s cybersecurity posture
  • Ensuring that the organization has a robust incident response plan in place and that the plan is tested regularly

The cybersecurity board game requires speed, accountability, and readiness 

A recent National Association of Corporate Directors (NACD) survey found that only 19% of board members felt confident in their company’s cybersecurity practices. This is a concerning statistic, given the increasing threat of cyber-attacks. In another study by Deloitte on cyber risk reporting in the UK, it was found that 63% of breaches were due to a lack of effective cybersecurity governance regarding data protection. Below are a few notable cybersecurity incidents and their subsequent board-level responses.

Board governance story 1: Equifax data breach and board oversight

In 2017, Equifax, one of the largest credit reporting agencies in the United States, suffered a massive data breach that exposed the sensitive information of over 143 million customers. The company’s board of directors faced scrutiny over its lack of oversight in preventing the breach and managing the fallout. An investigation revealed that Equifax had failed to patch a known vulnerability in their systems, which allowed hackers to access customer data. Additionally, the company’s board was criticized for their slow response to the breach, which further exacerbated the damage.

Equifax’s board of directors ultimately faced legal action, shareholder lawsuits, and reputational damage in the wake of the breach. The incident highlights the importance of board oversight and cybersecurity risk management.

Board governance story 2: Yahoo data breaches and board accountability 

Yahoo, the popular internet services company, suffered two major data breaches in 2013 and 2014 that exposed the personal information of over 3 billion users. The company’s board of directors faced criticism for failing to take adequate cybersecurity measures and to disclose the breaches to the public promptly. An investigation found that Yahoo had known about the breaches but failed to take action to protect user data or inform the public. The company’s board ultimately faced legal action and financial penalties for their lack of accountability.

The Yahoo data breaches highlight the need for board members to take responsibility for cybersecurity incidents and ensure that proper risk management measures are in place to prevent similar incidents from occurring in the future.

Board governance story 3: Colonial Pipeline ransomware attack and board preparedness 

In May 2021, the Colonial Pipeline, which supplies gasoline and other petroleum products to the East Coast of the United States, was hit by a ransomware attack that caused a shutdown of its operations for several days. The attack led to widespread fuel shortages and a spike in gas prices. The incident highlighted the importance of board preparedness in the face of cybersecurity threats. Colonial Pipeline’s board of directors faced criticism for their lack of preparedness and inadequate cybersecurity measures.

Following the attack, the company’s CEO testified before Congress, where he acknowledged the need for improved cybersecurity measures and increased investment in infrastructure to prevent similar incidents in the future. The incident serves as a reminder to boards of the need for proactive cybersecurity risk management and preparedness.

How the SEC cybersecurity regulations will change the lives of board members forever 

Suppose the above real-world stories are not enough to raise the cybersecurity concerns of board members. In that case, the SEC will certainly prioritize readiness and reporting by imposing fines and other legal ramifications for not complying.

What are the top three ways board life will change?

First, the SEC cybersecurity regulations will require companies to disclose their cybersecurity risks and incidents in a more detailed manner. This means that board members will need to have a deeper understanding of the cybersecurity risks facing their companies and be able to communicate these risks to investors and other stakeholders. Board members will also need to ensure that their companies have adequate cybersecurity measures in place to prevent and mitigate cyber-attacks.

Secondly, the regulations will require companies to have comprehensive cybersecurity policies and procedures. Board members will oversee the development and implementation of these policies and ensure that they are regularly reviewed and updated. They must also ensure that their companies have adequate resources to implement and maintain these policies and procedures.

Finally, the new SEC cyber regulations will require companies to report cybersecurity incidents to the SEC in a timely manner. Board members will oversee the investigation and response to these incidents and ensure all necessary information is reported to the SEC. They will also need to ensure that their companies have adequate plans to respond to cybersecurity incidents and mitigate their impact.

Want to learn more about creating a more effective Board of Directors to tackle new SEC cybersecurity regulations? Check out our Leadership Guide: Getting the Board Game Right.

The benefits of being prepared by using a risk management platform 

Effective cybersecurity governance requires a comprehensive and integrated approach to risk management. A risk management platform enables organizations to identify, assess, and prioritize risks and take appropriate steps to mitigate those risks. By using a risk management platform, organizations can ensure they have a comprehensive understanding of their risk profile, develop a comprehensive incident response plan, and ensure that employees are trained on cybersecurity awareness. A risk management platform like Axio360 enables organizations to report on their cybersecurity risk management practices, as required by the SEC’s new regulations. Clear and timely reporting on cybersecurity risk management practices provides transparency to stakeholders, including shareholders, customers, and regulators, and demonstrates the board’s commitment to effective cybersecurity governance.

Ultimately, the SEC’s cybersecurity regulations highlight boards’ critical role in managing cyber risk. Boards must ensure that their organizations have the necessary policies and procedures, allocate sufficient resources to cybersecurity, and monitor and test the effectiveness of their cybersecurity program. Boards that take an active role in cybersecurity governance can reduce the risk of significant reputational and financial damage resulting from a cyber-attack, demonstrate their commitment to effective corporate governance, and maintain their fiduciary duty to the corporation, investors, and the public.

Published April 28 2023, Updated August 24, 2023