Good Practice is now the law: Preparing for the new SEC Rules for Board-level Cybersecurity Expertise
The Securities and Exchange Commission’s July surprise dropping new cybersecurity rules earlier than anticipated is likely interrupting summer reading plans for corporate counselors and risk managers the world over.
The new rules – including the requirement that firms demonstrate they have cybersecurity expertise on their board and a four-day timeline to report significant incidents to the government – will make many U.S. companies rethink their cybersecurity preparedness and processes.
While the new rules may promote positive change, those who view cyber risks through a lens of compliance only will fail to make their institutions more secure.
The most forward-thinking business leaders embrace cybersecurity experts not as a regulatory obligation but as a strategic imperative to safeguard the company.
The new rule’s requirement for periodic reporting of certain cybersecurity governance practices should inspire corporate boards to pick those risk plans off the proverbial shelf more often – run them through a tabletop, test them, and revise them.
And the rule’s requirement that cybersecurity policies and procedures be tailored to the entity’s nature and scope of business just may prevent firms from doing wholesale copy-paste jobs from the NIST templates and pretending it’s a perfect fit for their sector.
At Resolute, we work with some of the largest insurers and law firms to help clients before, during, and after significant cyber incidents. We’ve seen first-hand the damage and reputational loss that comes immediately from clients that lack mature incident response and recovery procedures.
With the SEC now requiring firms to report the process they have in place to assess cybersecurity threats and how their board of directors oversees cybersecurity threats, there is hope that more firms will strengthen those processes.
The challenge to business leaders in the wake of this week’s new SEC rules is to avoid rushing when creating these procedures that depend on a great deal of cross-functional input to be effective.
A few years ago, I helped create Gartner’s cybersecurity leadership academy curriculum and worked on collaborative fora with dozens of Fortune 500 CISOs and CIOs. Invariably two things would come up in these conversations: the challenge of communicating threats across the organization and ultimately with the board.
There has always been a glaring gap in boardrooms concerning tech fluency and cybersecurity expertise. This hinders decision-making in the face of cybersecurity threats, but the default practice of up-leveling a CIO or CISO is not enough. The new rules will likely generate a flood of recruitment effort for unicorn-like talent who have the hard-skills to prevent and detect cybercrime and the soft-skills of business vision, leadership, and relationship building to be the new board members the SEC requires.
Those who look to appoint cyber experts to their board have an opportunity to do more than comply with new regulations through these appointments. By allocating sufficient time for discussions on cyber risk and ensuring repeat exposure to cyber-related matters through tabletop exercises and other trainings, firms can seize this moment to build resilience into their firms.
For those who feel daunted by the demand to create or recreate incident response plans, the NIST Framework and CISA Cyber Essentials Starter Kit can jumpstart those efforts. They provide a structured approach to managing cybersecurity risks and incidents, ensuring that businesses have robust defenses in place. By embracing these frameworks and seeking guidance from cybersecurity experts, your board can proactively enhance its cyber-risk management. Without these processes – and practicing using them – it will be that much harder to secure the enterprise and comply with the SEC’s shorter-term reporting requirements.
So, even if the SEC’s summer rule drop caught you by surprise, being proactive now will help you avoid the worse surprise later – the very likely actual breach.
Closing the gap in cybersecurity expertise and communication within the boardroom will enable your organization to navigate the ever-evolving cyber threats successfully regardless the regulatory climate. The time to act is now—investing in cybersecurity expertise on your board is an investment in the future security and prosperity of your business
Neil Simon is executive vice president at Resolute Strategic Services, a cybersecurity incident response and reputation management firm. He is based in Portland, Ore.