Companies are beginning to digest the recently published SEC rules for cybersecurity disclosure related to incident reporting, risk management and governance processes. The scope of “materiality” is expanded beyond objective determinations to include subjective, and qualitative impacts such as reputational harm, impact on customer and vendor relationships, competitiveness, possibility of litigation, regulatory investigations, or actions, among others.
By dealing in broad concepts, the SEC is squarely placing the burden on registrants to develop practices and corporate judgement to close the cybersecurity governance gap and to promptly assess cybersecurity incident materiality. These disclosure requirements suggest the need for registrants to establish a robust, fully formed, cross-functional digital risk management governance capability. This can be a large undertaking which requires a deeper enterprise-wide understanding of the complex digital systems which make up today’s businesses. Registrants are wise to embrace this challenge soon to meet short term SEC disclosure deadlines. Anything short of this may be counterproductive and viewed as superficial.
The SEC rulemaking broadly defines “what” needs to be done. It is up to registrants to determine “how” to do it. The CAP Group has produced an Adoption Framework which delineates key capability areas to focus on in satisfying the SEC rules and improve cybersecurity governance. In this article, we focus on the organizational, educational considerations to develop a contextual systems-of-systems understanding amongst the board and risk experts, and cultural changes to imprint upon the organization the importance of a shared responsibility for managing digital risk.
Management: It is important to have in-place an enterprise risk management (ERM) and digital risk organization which fits your enterprise. One key success factor is the designation of a senior executive with responsibility and authority over all digital systems. This is often the CIO but could be the CFO or Chief Risk Officer (CRO) depending on the situation. It is also key to have in-place an internal Digital Risk Committee (DRC) led by this executive which includes leaders of all key functional areas of the enterprise. The DRC would be tasked with managing digital risk and making recommendations to the board of directors. Clear authority and responsibility within the DRC is essential for cybersecurity, incident response and materiality determination. The DRC must have:
Clear authority over IT, OT, legal, internal audit, compliance, finance, HR, etc. to the extent these functions impact enterprise-wide use of digital systems.
Independent reporting channel to executive leadership.
Role as peer to C-Suite executives.
Board Committee: Most will benefit from having a single board-level committee to manage digital risk, perhaps even a formally chartered Risk Committee. If not already present, this may require adding digital systems expertise to it. This committee would interact with the DRC periodically and as needed.
Status of Cybersecurity: It will be important to re-evaluate your cybersecurity tools, policies and procedures, their purpose and cost. It may be necessary to engage third parties to determine the efficacy of your cybersecurity program. Finally, it is vital that a uniform set of systems based ERM and digital risk frameworks serve as the basis for communication across the organization and for providing a uniform vehicle for DRC recommendations.
Risk Identification, Management & Governance: Under the new SEC rules, registrants are required to describe the processes, for assessing, identifying, and managing material risks from cybersecurity threats. Registrants are required to describe whether any risks from cybersecurity threats have materially affected the registrant, including its business strategy, results of operations, or financial condition and if so, how. Satisfying these disclosure demands are likely to be more complex than is obvious upon initial examination. These disclosures require an understanding of the innerworkings of the complex digital systems which comprise the enterprise – likely at a level more granular and more all-encompassing than most boards are accustomed to.
Systemic Risk: Cyber risk is a form of systemic risk, which can only be dealt with through a contextual understanding of innerworkings of the underlying system. The system elements comprising your business and their relative importance can be defined within the context of the “Enterprise-as-a-System” (“EAS”). An initial educational exercise would involve the development of a high-level business process map followed by more detailed decomposition of how the enterprise works and the relative importance of its components. This will provide vital context for making investments in mitigation tools and in making incident materiality determinations.
People are the most important component of the EAS and must be treated accordingly. It will be vital to develop an enterprise-wide training program with frequent short periodic training episodes which do not overburden employees. It is also important to identify, recognize, and reward good behavior – and seek to reshape less desirable behaviors.
Practicing table-top exercises frequently, advertising results, and conducting after-action reviews will be important in identifying improvements for subsequent iterations.
Communicate within your enterprise regularly on emerging cyber threats and actual incidents. Make cybersecurity a shared enterprise goal.
Each registrant's response to the new SEC rules is a legal necessity, but not solely that. It is also an opportunity to take cyber risk oversight and management to a higher level, one which adds rich context and deeper understanding to for directors and officers. Given the increasing speed of innovation and competition, as well as the universal dependence on digital elements in company operating models, the organizations with this deep understanding of its organization as a system will likely enjoy competitive advantages resulting from greater innovation and enhanced agility. Don’t just let this be a compliance “check-the-box” activity, take advantage of this opportunity – and start now!