In March 2022, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule, the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, that, if adopted, would require companies to disclose their cybersecurity governance capabilities and the role of the board concerning oversight of cyber risk.

In this two-part series, we will cover what the proposed regulation will require from an organization regarding reporting on and preparing for cybersecurity incidents and a detailed plan on how CISOs can prepare their board members for the change.

What is the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure?

The SEC intends for this rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC opened a second 60-day comment period on the proposal in March 2023. So far, the SEC has not issued a final ruling.

If adopted as is, the SEC’s rule would put in place a bevy of new instructions requiring periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.

Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the proposed rules would require organizations to present cybersecurity disclosures in Inline eXtensible Business Reporting Language, a common language in which reporting terms can be authoritatively defined.

These changes will require CISOs to prepare their board of directors, so their organization is in compliance when the changes go into effect.

In many cases, a CISO will have their work cut out for them as, until recently, few boards of directors knew much about cybersecurity risks, let alone took an active interest in the topic. That mindset has changed dramatically in recent years. Overall, board members are confident they understand the threat landscape, prioritize cybersecurity appropriately, and have invested enough to keep their organizations safe. Still, in light of rising rates of cyberattacks and differing and sometimes conflicting opinions among CISOs, this optimism may be misplaced.

Bridging the disconnect is vital. CISOs and the wider board need open lines of communication. But often, boards relentlessly focus on the bottom line, and CISOs are mired in technical language. Over time, effective business-first communication gives way to muddled perceptions and misaligned priorities.

At a time when we are more connected and digitally reliant than ever, this board-CISO relationship has never been more important. It has also never been more challenging.

To protect people, instill data security, and ensure continued organizational success, CISOs must communicate effectively with their boards. That means putting threats in perspective, fostering collaboration, and driving accountability. At the same time, board members need to work to understand how cybersecurity risks can affect their organizations’ business goals.

The Board’s Current State of Understanding Cybersecurity

According to the report “Cybersecurity: The 2022 Board Perspective”, 10% of businesses with more than 5,000 employees do not have a dedicated CISO overseeing cyber strategy.

In the same report, the interaction between CISOs and their board appears to be an area for attention and improvement. Just half of board members regularly interact with their CISO; around a third say, they see the CISO only when the latter is presenting to the board. While 73% say these presentations occur regularly, this may not be enough.

Bringing the CISO into the boardroom on a regular basis, and not just for presentations, shows that cybersecurity is a priority of the board. Board priorities have a trickledown effect on the entire organization.

What the SEC Proposal Would Require

The SEC will soon require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

The SEC’s reasoning behind this proposal is quite logical. The Commission believes public company investors and other participants in the capital markets depend on companies’ use of secure and reliable information systems to conduct their businesses.

A significant and increasing amount of the world’s economic activities occur through digital technology and electronic communications, which require them to take place in a secure environment. This change means those working with or investing in public companies must know that the leadership is up to speed on cybersecurity and quickly and properly relays any and all sensitive information regarding a cyberattack.

The SEC will require, where pertinent board oversight and SEC registrants will be required to disclose:

• Whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks
• The processes by which the security teams inform the board about cyber risks and the frequency of its discussions on this topic
• Whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

The next step is preparing the board for the SEC’s proposal. Please see Part Two for a full list of steps CISOs should undertake.