ARTICLE | July 07, 2022
Authored by RSM US LLP
For more information, contact William Prohn at email@example.com.
The U.S. Securities and Exchange Commission (SEC) has proposed amendments to its cybersecurity rules for public companies, aiming to strengthen cybersecurity oversight, governance and incident disclosure. The proposed rules would enhance cybersecurity protocols and require some boards to make structural and cultural changes to address governance gaps and vulnerabilities.
A governance gap between boards and cybersecurity leadership
Similar to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, the proposed amendments seek to bridge the common disconnect between boards and cybersecurity leadership. While boards are typically composed of seasoned business leaders, cybersecurity expertise is often lacking. Although it is increasingly common for an organization’s chief information security officer to brief the board on a quarterly basis, the CISO often reports with a technical perspective that members may not completely understand, let alone know how to evaluate in the context of other corporate governance needs.
To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk.
Rod Hackman, Board member
In addition, board communication is often limited to affirming technologies previously implemented or reviewing key performance indicators on issues already addressed—while downplaying potential risk to organizational assets. These gaps in board communication can lead members to ask cybersecurity leadership the wrong questions and make ineffective requests and recommendations, exacerbating risks to the business.
“To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk,” says Rod Hackman, a member of the board of directors of an SEC-reporting company who leads the board’s cybersecurity oversight function. “Until the board and CISO meet in the middle and begin to speak the language of business, and understand cybersecurity as a business risk, effective governance will continue to suffer.”
Boards must also understand that the SEC proposed amendments are not exclusive and other legislation, such as CIRCIA, may have overlapping disclosure requirements for some organizations–which can create conflicting reporting directives.
Practical actions for boards to close the gap
To ensure cybersecurity is a priority for both your board and your management team, communication between the groups must be focused and transparent. Boards should reject the preconceived notion that cybersecurity is too difficult to deal with. According to Hackman, “The first step toward better governance is to engage management and likely outside advisors to arrive at a common understanding of how the business works by identifying and mapping all operational and support elements of the business, both internal and external. What are the most important assets, and how do they interact? What threatens them? How will the business respond if threats are realized?”
Assets, in this context, relate to a myriad of aspects that comprise the organization, including the:
- Value of its data, both structured and unstructured
- Efficacy of its processes, particularly those that contribute to customer experience
- Safety of employees, products and in some cases, customers
- Availability of products and services
Cybersecurity threats affect a complex array of organizational assets that businesses often don’t appreciate in totality due to the failure to align information, such as:
- Process flows for financial compliance
- Business capability models as a basis for broad technological change
- Asset registries for compliance
- Network topologies to support IT management activities
Disclosing details of a material cybersecurity incident during an active investigation will present new challenges, including:
- Establishing materiality of the cyber incident to determine if disclosure is warranted
- Getting a clear understanding of what information will be disclosed and to whom
- Ascertaining if critical company data was improperly accessed, stolen or altered in any way
- Having appropriate expertise on the company board to provide oversight
Mapping cyber risk to organizational assets greatly enhances a board’s ability to provide better oversight and gives the board peace of mind knowing investments in cybersecurity are effective and align with business objectives.
Steps your board can take to address gaps in communication and governance within your organization include:
Determine organizational perceptions of cybersecurity. A secure organization is increasingly a stated desired outcome in organizational strategy. Board members should gather information to assess whether cybersecurity is a shared objective among executive management—not merely the concern of a security or IT department. A board should also understand on what basis management determines the resiliency and security of the organization’s assets.
Obtain a full understanding of your organizational assets. Board members should request a consolidation and summary of organizational assets from management, assessed by business impact and reconciled to security control/framework(s). This information will help the board and management develop a common understanding of cybersecurity and provide both groups with insight into the organization and its underlying technology. This analysis promotes ownership by both the board and management because it creates a complete picture of the enterprise. The potential cost of misunderstanding the risk environment compels a high level of visibility and transparency.
Gain clarity on cyber disclosure requirements for your organization. Board members should understand and challenge management’s procedures for assessing the materiality of a cyber incident along with the process of disclosing suitable information within 72 hours. The process should ensure understanding of competing disclosure requirements of multiple regulatory authorities and consider the risk of disclosing inaccurate information.
Achieving these objectives will require a substantial commitment from many boards, and potentially a change in board culture. Companies should also anticipate additional expenditures on internal and external resources to meaningfully address the SEC’s proposed requirements if they are enacted. On the upside, board members can anticipate better visibility into cybersecurity risks, and management teams can address those risks more proactively.
“Regulators and the marketplace are forcing change to close the cybersecurity governance gap. The days of simply attending a board meeting four times a year after reviewing board materials prepared by management are over,” says Hackman.
Boards often do not have a grasp on the risks that cybersecurity poses to the business—and delegating cybersecurity management solely to the IT department does not work anymore. Without an effective framework in place, many boards may be unprepared for a cyberattack. Your board should proactively evaluate and adjust its processes to ensure full insight into cybersecurity risks and their potential effect on investors.
The good news is, although it is complicated and oversight is challenging, cybersecurity is manageable if your board is open to better understanding it and is willing to dedicate the resources to support it.
This article was written by Matt Franko, Rick Shriner and originally appeared on 2022-07-07.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
For more information, contact
William Prohn CISSP, CISA, CGEIT, CRISC, CMMC-AB RP
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.