Groundhog Day, SEC Style: Proposed Rule On Cybersecurity Risk Governance Has All The Pain Of SOX With Fewer Financial Penalties
There’s a significant shift ahead for how public firms and their boards treat cybersecurity risk.
The last two years increased the amount of cybersecurity oversight in terms of regulations and guidelines. Voluntary “recommendations” such as the National Institute of Standards and Technology’s guidelines for AI offer a starting point for safer use of artificial intelligence, while others mandate requirements, like the White House’s executive order on cybersecurity. But the one that has the potential to impact how public companies and their boards handle cyber risk is the US Securities and Exchange Commission’s (SEC) proposed rule on cybersecurity risk governance due to publish in April 2023.
In this proposed rule, the SEC states with complete clarity that cyber risk is business risk. What does this mean for you? The era of nominal regulatory oversight is over!
The SEC Finally Trades Recommendations For Requirements
When finalized, this rule will trigger monumental change in cybersecurity and risk terms, in everything from corporate accountability and reporting structures to financial reporting, not seen since the passage of Sarbanes–Oxley (SOX) in 2002. If you thought SOX compliance was killer, be prepared for a similar level of pain, as most boards say that cyber is important but do not give it the attention it deserves. This SEC requirement ends the practice of giving lip service to cybersecurity. The similarities don’t end there. Both regulations emerge as a direct result of the failures of previous attempts of guidance and recommendations to drive meaningful change. In the early 2000s, widespread corporate failures such as Enron and WorldCom highlighted that accounting firms and generally accepted accounting principles weren’t enough to deter financial fraud. Hence, Sarbanes–Oxley was born. Similarly, recent headlines of cybersecurity breaches and opaque announcements, like from Equifax — and of complete cover-ups, such as what has come out of Uber — have had significant impact on shareholders, per the SEC. The SEC’s interpretative guidance on public company cybersecurity disclosures, adopted in 2018, failed gloriously. The SEC learned from its prior approach of merely giving suggestions and now issues a mandate.
External Factors And Adjacent Regulations Add A Significant Amount Of Overhead
Small language changes make a huge difference when it comes to compliance. For example, the 2018 interpretive guidance asked firms to consider materiality and other factors when “evaluating the need for cybersecurity risk factor disclosure.” The proposed rule requires disclosure of policies and procedures to identify and manage cybersecurity risks, the board of director’s cybersecurity expertise (if any), and updates on previously reported cybersecurity incidents. This will require significant change management, additional cybersecurity expertise on boards, and a new governance structure to administer these practices. Having an “audit committee” is no longer sufficient. Technology investments will include new tools such as cyber risk quantification and a better ability to document discussions about cybersecurity and risk. Here are four factors to know — and what to do about them — that executives and security and risk professionals must account for when planning for the proposed rule’s implementation.
- Cybersecurity now directly links to financial performance. The days of implicit governance structures ends with this regulation. Explicit — and transparent — governance must become the norm. Language in the proposed rule intends to better inform investors about a registrant’s cyber risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents.
What to do about it: Ensure cyber risk quantification across the enterprise. Cyber risk quantification tools already exist and continue gaining traction, but they require a level of quantitative knowledge and expertise that doesn’t exist in security teams and is rare among non-financial firms. This topic will require significant education for boards to fully understand what the numbers mean and what decisions to make based on them — and for CISOs to fully understand what investments to make and actions to take.
- Boards of directors will be directly responsible for cybersecurity. Boards of directors continued to embrace that their fiduciary duty includes cybersecurity due to the rising costs of a breach but mainly due to financial losses from business disruption and ransomware. This comes at a time when board members’ fiduciary responsibilities are getting a risk-based reinterpretation by the courts. In 2019, when Marchand (makers of Blue Bell ice cream) sued its board, the decision concluded that boards must “make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.” The decision was upheld in 2021 against Boeing’s board, setting legal precedent for board members to be held responsible for matters related to risk and compliance.
What to do about it: Make cybersecurity risk disclosures and education a regular occurrence. Now, firms will have to “periodically disclose the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk,” drawing a direct line from the CISO’s responsibilities and actions to the board. This regulation ends the practice of cybersecurity board theater by adding responsibility, accountability, and procedure. Firms that don’t already have a cybersecurity risk committee or don’t regularly educate board members on cybersecurity must begin doing so immediately.
- Greater focus on the financial impact of cybersecurity and a new Department of Justice (DOJ) policy will entice more whistleblower reporting. Cybersecurity cover-ups will be the new financial fraud, and we expect a slew of whistleblowers to come forward to disclose their current or former employers’ mishandling of and poor practices related to security, privacy, and data. Last summer, we blogged about whistleblowers from tech companies quitting in the loudest possible way and sounding alarms on the way out or shortly thereafter. A fresh update to the DOJ’s Criminal Division’s Corporate Enforcement Policy will offer companies “new, significant, and concrete incentives to self-disclose misconduct” and will be a major factor in deciding whether to charge an executive or a business.
What to do about it: Follow the regulation with trust in mind. This one is the easiest of all to execute on. Put simply, act with integrity and transparency when it comes to cybersecurity and risk issues. Yes, firms can assemble rationalizations over whether a cybersecurity issue is “material,” and some will. But the days of breach announcements being shameful events ended almost a decade ago. Cybersecurity matters, and now the SEC says that you can — and must — talk about it.
- Executive bonuses have a return policy if regulatory filings are misstated. In 2022, a new rule was passed that requires executives and board members to return bonuses if errors are found in their companies’ financial disclosures within three years of filing, even if they are not responsible for them. Public companies without mature cybersecurity programs will need to prioritize cyber risk quantification investment or risk losing their compensation.
What to do about it: Invest in cybersecurity. More CISOs than ever now report to CEOs. We expect the number to increase now that personal money is on the line. Poor cybersecurity practices or failure to disclose pertinent cybersecurity information now comes with the risks of a compensation clawback, which should make building cybersecurity business cases to justify investments quite a bit easier.