# Opener

SEC Rule Poses New Challenges for CISOs

Published by Richard Caralli

In July 2023, the Securities and Exchange Commission (SEC) adopted rules requiring publicly-traded companies to disclose material cybersecurity incidents and to report on their cybersecurity risk management, strategy, and governance activities on an annual basis beginning in December 2023.  For some organizations, this is simply a recalibration of good cybersecurity risk management practices already in place. For others, improvements in the way cybersecurity risk is managed, analyzed, mitigated, and reported on will be on the horizon.  At the center of this new requirement is the changing and evolving role of the CISO—which faces a make-or-break moment.

Much has already been written about the challenges of meeting the new SEC reporting requirements, particularly around incident disclosure and materiality.  And while those issues will add to the CISO’s already challenging role, the evolution of the cybersecurity executive’s position in the organization—especially relative to peers—is not getting the attention it deserves.

By design, the CISO’s role is a game of tug-of-war.  On one hand, collaborative relationships with other business leaders must be cultivated to run a successful cybersecurity program, but arms-length independence is needed to ensure cybersecurity risks are communicated to senior management and Board members, no matter where they originate.  Two realities of a CISO’s daily life make this an untenable place to operate.  First, many CISOs do not yet have parity with other senior executives.  Their decisions are often scrutinized and second-guessed by more-senior roles (such as Chief Information Officer or Chief Financial Officer), forcing CISOs to balance independence and career.  Second, because cybersecurity risk emerges across the organization (not just in technology pockets), CISOs have the sometimes-unpleasant need to put peer relationships “on ice” to ensure key exposures are identified and communicated up-the-chain—and possibly disclosed to the SEC.

Deciding what is reported to the SEC will also put the CISO in the center of a new tug-of-war.  Narratives will need to be crafted that balance meeting disclosure requirements with potential reputational or financial damage, a place where the CISO may find their negotiation skills put to the test.  Many CISOs already complain that their messaging on cyber risk exposure is watered-down before it reaches Board level scrutiny, so the SEC disclosure process will test the CISO’s ability to lead authentic discussions about the state of the organization’s cyber risk management processes while managing internal pressures to lessen-the-blow.  The SEC requirement on incident disclosures will further magnify this challenge:  determining materiality of a cyber incident will likely involve many internal constituencies (like legal, accounting, and internal audit) as well as external consultants, such as the auditors who issue annual opinions on the state of the organization’s financial statements.   This will draw the CISO into new discussions that will test their ability to appropriately quantify risk and translate their understanding of cyber risk exposure into the language of their peers and Board members.

So, how can CISOs navigate these new SEC pressures while leading the organization’s cybersecurity program?  First, the CISO needs parity with other senior management roles.  The SEC disclosure rules underscore the need for CISOs to have an equal seat at the table with other senior leaders and to be heard without prejudice.   Technology underpins many key organizational processes which exposes them to evolving attacks at a higher velocity.  These processes are owned by peer managers—and CISOs are their partners in ensuring cyber risks are identified, analyzed, and mitigated before they can cause organizational disruption.   Since they play this important role, CISOs need the visibility, authority, and audacity to act alongside their peers in minimizing cyber risk to an acceptable level.

Second, CISOs are caught between the rules and the rulers—they need independence to speak freely and openly about the organization’s cyber challenges from their vantage point.  This is not unlike the opportunity afforded to many senior internal audit leaders who typically report to Chief Financial or Chief Accounting Officers but have a dotted-line reporting relationship to audit committees on the organization’s Board.  This is to ensure that any weaknesses—particularly material weaknesses—can be entered into the governance and oversight process without fear of retaliation or retribution.  The CISO needs similar reporting structures as their role in the materiality discussion will expand under the new rules.

And relative to materiality, CISOs need to establish significant working relationships with key finance, accounting, auditing, insurance, and enterprise risk management roles.  For many publicly traded organizations, materiality involves a complex conversation and consideration of not only hard calculations (the “science”) but also judgment and context (the “art”) that sometimes relies heavily on the experience of external auditors to determine what should be included in annual audit reports.  For cyber incidents, materiality further involves understanding the impact of cyber incidents in a prospective loss context, and that requires a deep understanding of cyber risk quantification against the backdrop of the organization’s materiality parameters.  The CISO will need to convey a basic understanding of the mechanics of a cyber incident and the potential impacts, while working with key decision makers who deal with the financial viability of the organization on a daily basis.   Cultivating a cyber risk quantification skill set is a bridge that CISOs can use to narrow the understanding gap and ensure that materiality disclosures not only meet the SEC’s requirements but also provide concrete support for organizational decisions about what to disclose and when.

Finally, for organizations that continue to struggle with maturing their cyber risk management capabilities—a key reporting element of the SEC disclosure rules—the CISO will need to champion and lead state-of-the-practice improvements.  This may involve justifying additional investments in tools, technologies, and people who are foundational to the cyber risk management process and can ensure future disclosures adequately portray organizational competence in these key activities.  In the end, shareholders want to know that organizations are at the top of their game in identifying and mitigating cyber risk before incidents occur—and to be able to rely on such information when making investment decisions.

For a detailed overview on the impact of the new SEC cybersecurity rules, we invite you to listen to our roundtable discussion, Boardroom Insights: Unveiling C-Suite Perspectives on SEC Cyber Rules Impact.