A few weeks back, we explored whether CISOs belong in the boardroom in a timely thought-leadership piece featuring insights from former Fortune 100 CISO Rich Baich. The piece discussed the criticality of the CISO today in modeling organizational risk and properly communicating and prioritizing cybersecurity in conjunction with the board. Now, the U.S. Securities and Exchange Commission (SEC) is suggesting it as well.

With the mission to “maintain fair, orderly, and efficient markets; and facilitate capital formation,” the SEC has been known to make timely regulatory changes to ensure organizations adequately protect investors. A well-known example of this is the Sarbenes-Oxley Act (SOX), which went into effect about 20 years ago. This legislation was established to improve the auditing and public disclosure practices of organizations. In an attempt to enforce the legislation, the SEC introduced regulations that required financial and accounting expertise on an organization’s corporate board of directors.  

Now, the SEC appears to be making cybersecurity a priority on its agenda. Specifically, there has been a focus on potential amendments to include reporting requirements for cybersecurity incidents, current policies around managing cyber risk, and cybersecurity representation at the board level. Such disclosure would ensure investors are well informed on an organization’s cybersecurity strategy and are given timely notification of cyber incidents. In this blog, we will discuss how the recent SEC cybersecurity recommendations surrounding reporting requirements, specifically board expertise, may impact organizations moving forward.

Cybersecurity’s Seat

The cybersecurity buzz made it to Washington D.C. with President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity” in May of last year. Building on concerns surrounding the increasingly persistent and sophisticated nature of cyberattacks, the executive order acknowledged the need to improve our nation’s cybersecurity and detailed additional efforts necessary to properly identify, detect, and respond to cyber threats. Combined with the recent global headlines around cyber warfare, this executive order brought security to the forefront of many boardrooms as organizations struggle to both understand and protect themselves from cyber threats. 

In response to this executive order, the SEC followed up with a proposal for amending disclosure and reporting requirements surrounding cybersecurity risk management, strategy, governance, and incident disclosure. The recommendations include a push for a change in the composition of an organization’s corporate board of directors, foreshadowing a potential amendment to current disclosure requirements in Regulation S-K. This would update the disclosure of material qualitative descriptors required of companies that file with the SEC to provide “the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk” when filing. 

The SEC’s recommendations seem to align with the general public sentiment regarding the importance of cybersecurity representation on the board. There has been a dramatic increase in the share of board members with cybersecurity experience, jumping from just 8% in 2020 to 17% in 2021. Amendments to current disclosure and reporting requirements by the SEC could go a long way in encouraging other organizations to comply with the trend.  

So What?

This is not the first time organizations have gotten strong recommendations to include a seat for cybersecurity on their board of directors. In January of 2014, the National Association of Corporate Directors released a report on cybersecurity and its implications in the boardroom. This inaugural recommendation urged the board to look at cyber risk as its own risk with its own set of oversight. Now, with the SEC building on those recommendations eight years later, the suggestion is backed by significantly more weight.  

While it’s difficult to fully predict the degree to which the SECs recommendations, or future regulation, will affect businesses, there are some potential downstream effects for various business units. 

• From an insurance perspective, cyber insurance providers may begin to require proof of cyber experience on the board in order to provide coverage. If deemed a requirement, failure to have cybersecurity board representation could result in an organization being denied coverage or facing increased premiums. 
• From an audit perspective, the SEC’s recommendations could impact system and organization controls (SOC) audit reporting requirements. SOC 1, SOC 2, and SOC 3 certifications could be adjusted to require board expertise. These audits could also be updated to require that board meetings explicitly discuss cybersecurity.  

In an effort to prepare for these outcomes, organizations may consider adding cyber experience to the board in advance of any requirements and proactively thinking about other aspects of security that are important at the board- and business-reporting level. This approach will ensure any outcomes from the recommendations or potential regulations will not negatively impact the security program as a whole nor impact the organization at the business level.  

Beyond the board’s cyber expertise, investing in security control validation technology to ensure compliance with regulatory requirements can provide an additional level of assurance to organizations when it comes to cybersecurity and compliance. Breach and attack simulation (BAS) technology can serve organizations well in this area by continuously validating control effectiveness and enabling clear, concise reporting to the board, SEC, auditors, insurance providers, and others about which controls are in compliance. Specifically, such results are imperative for organizations conducting SOC 2 reports that require organizations to test their efficacy of controls over time. This reporting content can also aid organizations just beginning their journey to adding cybersecurity to boardroom conversations, minimizing the otherwise seemingly daunting task.

If you’re interested in exploring how BAS technology can help demonstrate the effectiveness of your organization’s controls and quickly provide that information to the board and regulatory agencies, reach out to a SafeBreach expert today.