With new cybersecurity legislation being proposed by the U.S. Securities & Exchange Commission (SEC) on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure, boards will have more reason to be cyber-savvy. Those in the C Suite will need to implement policies and procedures related to cybersecurity. And those on the board will need to identify and demonstrate cybersecurity expertise and oversight of cybersecurity risk.
These new regulations will shift how organizations handle cybersecurity threats, specifically around reporting, disclosure, and governance. While the legislation is still being finalized, there are several areas that both leadership and board members should review to increase their cybersecurity readiness.
Disclosure of Cyber Incidents
With the new proposed SEC rules, companies will need to disclose material incidents to the SEC to provide transparency to shareholders. Because of this disclosure, board members must be ready to understand, and possibly even defend, the organization’s cybersecurity strategy. This will be a major change for many boards, given there has historically been a low level of cybersecurity expertise at the director level.
Determination of Reporting Thresholds
With the proposed SEC rules, there is no clear definition of which cybersecurity incidents must be reported, though guidance in the final rulemaking is expected in early. Similarly, there are questions regarding the level of detail that is expected for each incident. Sharing too much information could compromise a company’s cyber defense position, though the SEC is seeking to maximize transparency for shareholders. After the SEC releases the details in 2023, regulatory compliance will need to be discussed with leadership, IT, cybersecurity advisors and legal to determine the right course of action.
Discovery of Capabilities and Skills
Because of the increase in expectations of both leadership and board members, there will be shifts in both the expertise requirements for boards as well as board process routines. Expertise in cybersecurity will need to be clearly defined and vetted. Structures and routines of how boards operate and report both cyber threats and cyber attacks must be developed and be detailed yet easy-to-implement.
As organizations prepare for new regulations around cybersecurity readiness and response, this could be a longer road to governmental oversight on cybersecurity. Whether to improve cybersecurity defenses, improve shareholder relations or reduce costs to cyber incidents, these new regulations can help organizations reduce their potential risk.
ABOUT THE AUTHOR
Brian Walker is a cybersecurity advisor and the founder and CEO of The CAP Group, a firm working with directors and officers in the areas of cybersecurity and risk management advisement. His expertise is sought by clients ranging in size from global Fortune 500 to regional G2000. Learn more about the service offering from The CAP Group (https://www.thecap.group/).