Sixteen months after publishing proposals, the US Securities and Exchange Commission (SEC) has finally ruled on cyber security. It joins a growing list of regulators acting in this space, including the EU’s NIS2 Directive, Australia’s Critical Infrastructure Act and Norway’s Security Act. It’s highly likely more will follow suit.
The SEC’s ruling requires companies to describe their management oversight of cyber, processes for the assessment, identification, and management of material cyber risks, describe actual or potential material impact, and report material incidents within a specified timeframe and standard reporting framework. While the SEC’s remit is limited to public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934, experience shows us that SEC rulings have a habit of becoming the de-facto standard for good governance, meaning the ripple effect is likely to be considerable.
The SEC also requires these companies to describe their board oversight of cyber risks.
Boards are increasingly concerned about cyber security, ranking it as one of their top priorities, and for good reason. The cyber security risk is growing. Almost two-thirds (61%) of enterprise firms were targeted in 2021, up from 51% in 2020. One in six of all companies that were attacked in the past year said they almost went under as a result. Ransomware attacks increased in frequency by 200% between 2019 and 2021 and multi-million-dollar ransom payments grab the headlines, such as JBS who paid out $11 million, and the Colonial pipeline, where a ransom of $4.4 million was paid.
The impact of cyber events extends well beyond ransom payments; remediation efforts, higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, and regulatory actions, to name a few.
Getting cyber security governance right is not just a win for the security of individual companies; evidence shows that large enterprises with digitally savvy executive teams have significantly higher revenue growth, valuations and net margins. Effective cyber security also brings many top line benefits, including greater success rates when tendering for new clients, improved data insights, investor confidence and maintenance of shareholder value during mergers and acquisitions.
While there has undoubtedly been progress in recent years on board governance of cyber security, many boards struggle to dispense their responsibilities. Many don’t understand their unique role on cyber security, lack the right level of cyber awareness and can’t turn to CISOs or other executives to bridge this gap, and as a result fail to challenge what they hear in the boardroom.
This vacuum in cyber security board governance leads to three common problematic postures: passive, in the weeds, and deferential. Directors on these boards, respectively, have a tendency to disengage from the conversation, get distracted by the technical details at the expense of a risk-based approach, or wave through the recommendations of a trusted and well-presented CISO.
Cyber-engaged boards operate differently. Exactly what cyber-engaged looks like will differ according to a company’s cyber risk profile, but these boards have a clear understanding of the unique role of the board, recruit directors with specialist knowledge of technology, digital, data or cyber, invest in education to raise their individual and collective knowledge of cyber security, make cyber security a regular topic of discussion in board meetings, ensure cyber security has a home within a designated board committee, and seek out advice from the CISO and independent cyber advisors.
In Savanti’s forthcoming paper: Effective Board Governance of Cyber Security – A source of competitive advantage, we set out a 5-point plan for effective cyber security board governance:
- Boards should understand their unique role as a board: setting the company’s risk appetite, focusing on resilience and recovery, ensuring they remain informed and up-to-date, and being prepared to respond as a board in the event of a cyber incident.
- Boards should be appropriately informed about technology, data and cyber security, including having at least one NED with relevant expertise. It is disappointing that the SEC dropped its proposal requiring boards to report on their expertise at board level – this would have helped to enhance board-level capability. We also argue that Chairs should encourage directors to educate themselves, invite experts in to brief the board, allow and encourage NEDs to be in contact with CISOs and ensure directors have access to independent board advisors.
- Boards should put cyber security on the board agenda at least quarterly and more frequently when there is something critical ongoing. The board report should be delivered by the CISO, and companies with elevated technology, data and cyber risks should consider establishing a technology committee of the board.
- Boards should ensure they have access to independent cyber security advisors. They can help: a) the CEO and CFO to challenge and arbitrate between the CISO, CIO and CTO, and help them to interpret reports from the CISO, b) NEDs via one-to-one coaching and assistance in preparing for board meetings, and c) CISO coaching to help the CISO to communicate and engage appropriately at board level.
- Regulators, investors and public bodies have crucial roles to play. While regulation should be the last resort in many situations, it is time to act on cyber security with smart and focused regulation. Investors should continue to ask questions of their portfolio companies to drive action and improvement. And public-private partnerships can offer enormous benefits, both for individual companies and also for the public good.
Cyber security is no longer just a necessary hygiene factor – it is a key differentiator for the increasingly digital organisation and is a source of competitive advantage. Doing it well starts at the top, but the majority of boards still don’t get it. Regulation is not the only answer – but it is an important part of the solution.
Cyber security leadership is broken: Here’s how to fix it, Richard Brinson and Rachel Briggs OBE
Cyber Security Toolkit for Boards, National Cyber Security Centre
Global Cybersecurity Outlook 2023, World Economic Forum
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, the US Securities and Exchange Commission, July 2023