With companies in virtually every industry facing persistent and increasing cyber security threats, federal regulators are taking steps to protect customers and investors. In March, the SEC proposed new cyber security transparency rules that would require publicly traded companies to disclose, among other things, the cyber security expertise—or lack thereof—among their board members. This is despite the evidence that it is a recognized risk within businesses. The Systematic Risk Survey 2022 H1 conducted by the Bank of England, published in March 2022, highlighted that “cyberattack” remains the most cited risk to the UK financial system by respondents in addition to being the most challenging risk if it were to materialize.1
Ensuring corporate boards have the right skillsets to assess and respond to cyber risks is key. The same is true of the other elements of the SEC proposal. However, for companies looking to enhance their cyber security protocols and keep pace with current threats, having an effective framework and governance approach to cyber risk is just as important. Fortunately, there are practical steps corporate managers can take to bring these dimensions together.
The SEC Proposal
For some time, experts have been warning businesses to better secure their data against a variety of cyber threats. In recent years, many companies have taken appropriate steps to prevent or mitigate the damage of cyberattacks. But, at the systemic level, these efforts continue to fall short, despite experts warning that corporate governance matters, when it comes to cyber risk.
In 2021, Kroll released the State of Incident Response report, in which 400 information security and 100 legal and compliance leaders assessed the state of cyber incident response from both a technical and legal perspective. The survey produced several sobering data points. For example, only about half of the surveyed organizations conducted regular security readiness exercises that involved corporate leadership. Roughly, the same number of companies’ information security teams were unsure about when to engage legal counsel when responding to a cyber incident.
The SEC started issuing guidance on cyber security disclosures in 2011, expanding and reinforcing that guidance in 2018, following which Kroll published a series of steps for boards to take a more effective approach to cyber risk mitigation. The regulator’s approach has since shifted from offering guidelines to more prescriptive measures, culminating in the rule proposed earlier this year.
This shift is not surprising when we look at the recent evolution of the cyber risk landscape. Today, the businesses have to deal with an array of cyber issues, like the proliferation of ransomware and vulnerabilities in third-party solutions and providers (e.g., SolarWinds and Log4J). They also have to shift policies to keep up with tightening data privacy regulations in foreign jurisdictions and the shift toward remote work, cloud services and digitization driven by the COVID-19 pandemic.
Noting that “cyber security is among the most critical governance-related issues for investors,” the SEC’s proposal would require more timely and consistent disclosure of:
- Cyber security expertise among board members
- Material cyber security incidents (within four business days of classifying an incident as material)
- Risk management strategy (including oversight of key third parties)
Other Regulatory Requirements
Indeed, it is not only the SEC who is giving particular focus on this subject matter; globally, we have seen regulators in many jurisdictions (albeit predominately in financial services) push the agenda in strengthening board-level focus on cyber security. Some examples include:
- Australia: ASIC Report 429 Cyber Resilience Health Check–to help improve financial institutions’ cyber resilience, including board engagement on cyber security strategy
- India: The Reserve Bank of India June 2016 Circular on Cyber Security Frameworks in Banks – encouraging board and management level oversight and commitment of cyber security
- Singapore: MAS Circular No. SRD TR 03/2015 Technology Risk and Cyber Security Training for Boards – expectations that board take responsibility for technology risk and cyber security
- Malaysia: Bank Negara Risk Management in Technology BNM/RH/PD 028-98 framework - to promote effective technology discussions at the board level, to ensure the composition of the board and the designated board-level committee should include at least a member with technology experience and competencies
- The UK: FCA PS21/3 “Building operational resilience” came into force on March 31, 2022, after a period of consultation. It requires firms to perform mapping and testing so that they “are able to remain within impact tolerances for each important business service.” The scope of this activity is large, however, the definition of intolerable harm specifically highlights “any loss of confidentiality, integrity or availability of data.”
- EU: European Banking Authority Guidelines on information and communication technology (ICT) and security risk management specifies the need to determine a risk appetite and then assess risk against it, using formalized ICT and security risk management framework, policies and related testing of these frameworks.
An Effective Framework
Cyber security can be complex and difficult to manage, with real world risk impact—potentially impacting stock price; hence, it is crucial that boards have transparency, assurance and capability to understand and respond to these types of risks.
Kroll has developed an end-to-end framework to help companies of all sizes and sectors to better acclimate their boards to the operations of their individual cyber risk programs. Depending on the current maturity, organizations may elect to focus on specific parts of the framework or implement these standards across the board.
The framework consists of four major components. To better understand how they interact to improve board-level cyber capabilities, it is helpful to examine each component in detail.
Board members need to be aware of the threat environment and have suitable governance solutions in place to drive their company’s agenda on cyber security. At a minimum, cyber risks should be a frequent agenda item at the board level, preferably delivered by the CISO themselves. While this is necessary, , board members often need to be reminded repeatedly.
In our experience, board members benefit greatly from participation in workshop sessions that describe the organization’s most valuable assets and identify the most prominent cyber threats that can impact these assets. This type of hands-on assessment increases awareness among board members and C-level participants and drives their interest in the operations of their company’s cyber risk program.
When establishing a system for managing cyber risks, it is essential for companies to have interest and buy-in at the board level. The National Institute of Science and Technology’s (NIST) cyber security framework (CSF) offers a comprehensive approach to risk management that utilizes language and terminology to demonstrate its importance to board members regardless of their level of cyber expertise. However, we’ve found that a wholesale application of a risk management framework—whether it is the CSF or some other established system—is often suboptimal. Instead, the implementation is more effective when it goes through a series of customizations in order to fit the unique culture, strategy, operations and posture of the company. This provides important opportunities for a CISO to demonstrate their change management skills. Working with and gathering feedback from across the company’s C-level and relevant board committees can help produce a risk management framework that has broad management support.
Now is the stage to develop strategic improvement plans that will address the key risks identified in the initial assessment. At Kroll, we typically recommend a three-year plan with an approach that is consistent with the organization’s other risk mitigation priorities. This stage provides another unique opportunity for a company’s CISO to demonstrate transparency to the board. The last question any CISO wants to hear from the board during a major cyber incident is “Why did we not invest in that improvement before now?” From the outset, board members should be clear on the biggest cyber risks the company faces and the expected results and timeline of any proposed solutions.
Many expect this to be the simplest element of the framework. But we often see it go badly. In most industries, a board will have, at best, one or two members with a firm grasp of cyber security issues and concerns. It is difficult for a CISO to ensure the message is compelling for the majority of board members who do not have an extensive background or knowledge of cyber risks. We have seen cases where plans and assessments were simply far too granular or technical (e.g., including a detailed list of vulnerabilities on one particular server) and others that were too broad to be informative (e.g., boiling all cyber risk topics to a single operational-risk metric).
A critical factor for successful reporting to a board is having a presentation that is quantifiable, actionable and forward-looking. To accomplish this, presenters should apply leading indicators, state the risks in financial or reputational terms, and appeal to customers’ views on any related cyber risk. Essentially, the challenge of the CISO is to answer the “so what question” for business executives in a language that they understand.
With its latest proposal, the SEC is clearly looking for ways to increase the board-level focus on cyber security issues. We see this as a good thing. Companies with boards that are increasingly savvy and interested in cyber capabilities will elevate these issues and make them become a prominent internal focus. This will, in turn, elevate the role of the CISO as companies look to ensure their C-level and board agendas devote more time, attention and resources to address critical needs. All of this is a major step in the right direction.
1Systemic Risk Survey Results - 2022 H1 | Bank of England