When it comes to cybersecurity, the buck stops with the board.
That’s the message the U.S. Securities and Exchange Commission (SEC) sent on March 9, 2022, when it unveiled proposed new rules mandating heightened disclosure of cyber-risk governance and incident reporting in regulatory filings.
The agency’s impetus? The number and cost of massive cyberbreaches is soaring, and so are shareholders’ expectations for transparency.
While the SEC is still in the process of finalizing the new rules, one thing is clear: The agency will soon require boards to disclose an unprecedented level of detail about their security governance each year, as well as if and when a significant breach occurs.
Notably, directors will have to report who “owns” oversight—an existing committee like audit or risk, a new cybersecurity committee, or the full board—and how that oversight is conducted. The impending regulations are turning up the heat on boards to not only reassess their oversight structure, but also to reimagine the composition of the board itself.
To prepare for the shifting regulatory landscape, following are four cybersecurity governance questions boards should put high on their agenda.
1. Should the board add a cybersecurity expert?
Today, cybersecurity expertise on boards is more the exception than the rule. Only 34% of S&P 500 companies have a cybersecurity expert seated on their board, according to the Center of Audit Quality.
The SEC’s new rules would require that companies report who on the board, if anyone, has cybersecurity expertise. It is not a mandate to add an expert to oversee cyber-risk so much as a move to give investors transparency into the board’s oversight capabilities.
If you’re looking for a CISO for your board, you’re going to have a hard time finding one because they’re really in demand.
Regardless, should boards seek out a cyber-risk expert to add to their roster? Many intend to do so: In 2021, 65% of boards said that cybersecurity is an area of expertise sought on the board, up from 36% in 2018, according to an Ernst & Young report.
The search may be difficult. “If you’re looking for a CISO for your board, you’re going to have a hard time finding one because they’re really in demand and they’re in short supply,” says Carolyn Frantz, co-head of the public companies group at technology law firm Orrick.
Frantz points out that, should you find a CISO candidate, “they also have to have a broad range of skills that add value to your board. You don’t want to put someone on your board only because they have one skill.”
Another pitfall that boards should consider is that the board may lean too hard on an “expert” as an excuse to abrogate its own oversight responsibility, warns Joe Nocera, a partner in cyber-risk and regulatory marketing at PricewaterhouseCoopers (PwC).
“I’ve been in board meetings where they have a director with cybersecurity experience and the rest of the board tends to defer to them on every topic,” says Nocera, who sits on several nonprofit boards himself. “It’s like, ‘Oh, Sally used to work for a cybersecurity company, so I don’t have to worry about that.’”
One area where an expert can really add value, Nocera advises, is in raising the IQ of the board. Experts can encourage directors to get training through programs such as the cybersecurity certification course offered by the National Association of Corporate Directors (NACD). (To date, only about 700 of its 23,000 members have earned certificates.)
Note that the SEC specifically included this in its proposal: “We do not intend for the identification of a cybersecurity expert on the board to decrease the duties and obligations or liability of other board members.”
Put another way: While adding a director with cybersecurity expertise to the board will be valuable for oversight in general, ultimately the burden—and liability—for oversight rests on the shoulders of the full board.
2. Which board committee should “own” cybersecurity?
Today, more than two out of three boards (66%) assign responsibility for cybersecurity oversight to their audit committee, according to a 2021 survey from the Deloitte Center for Board Effectiveness, conducted in partnership with the Society for Corporate Governance. Of those surveyed, 15% assign responsibility to the risk committee. Only 9% assign responsibility to a dedicated cybersecurity committee, Deloitte found.
Cybersecurity is primarily a risk management challenge. There’s no such thing as perfect security.
“Just because the majority does it, doesn’t mean it’s the right answer,” says Nocera. “We’ve found that organizations that oversee cybersecurity within a risk committee do the best job of managing the risk.”
The case for the risk committee over the audit committee? Audit committees’ to-do lists are already overstuffed with oversight of financial reporting and internal controls, data privacy, ethics and compliance issues, and more. As cybersecurity becomes an ever larger business risk, committee members may have limited bandwidth to devote to governance.
“Cybersecurity is primarily a risk management challenge,” Nocera says. “There’s no such thing as perfect security. The question is, How much risk are we willing to accept and are we within tolerance of our current risk appetite? ”
3. Should the board establish a cybersecurity committee?
Boards may choose to skip the audit and risk committees altogether in coming years, according to advisory giant Gartner, which projects that the number of boards with dedicated cybersecurity committees will quadruple within five years, rising from 10% in 2021 to 40% by 2025.
Gartner made its prediction in January 2021, and the SEC’s proposal may bolster the case for segmenting cybersecurity oversight from other committee functions—particularly its requirement that companies file a Form 8-K with the SEC within four business days of a material “cybersecurity incident.”
“Companies have minor malware or phishing attacks every day,” notes Nocera. “It’s impractical to brief the board on every one of those incidents. The board needs to establish criteria around what the SEC might consider “material,” including what kinds of incidents would require an out-of-schedule board meeting.”
Assessing the materiality of cyber incidents, including when such incidents need to be escalated to the attention of the full board, could and should be the responsibility of a cybersecurity committee, suggests James Turgal, vice president at cyber advisory and solutions firm Optiv.
Turgal recommends that such a committee follow “a hybrid model” and include C-suite leaders, audit committee members, and cyber-educated board members who can align the company’s cybersecurity strategy and governance processes to the SEC’s new disclosure requirements.
4. How often should the committee brief the full board?
For many boards today, cybersecurity lands on the agenda only once a year. Nearly 77% of private companies say that it is addressed annually, as it is at 40% of large-cap and 52% of mid-cap companies, according to Deloitte.
Is once a year enough for rigorous oversight? Not according to Nocera, who recommends that a committee brief the board on cybersecurity issues six times a year, or at least once a quarter, even for companies that don’t deem themselves at high risk.
These briefings should not only address the pressing cyber-risks of the moment, but also multiyear strategic plans; incident response, business recovery, and public relations plans; cyber training and literacy among management and employees; and the organization’s overall cybersecurity maturity and resilience.
Getting back to basics
Turgal agrees that board education about current and evolving cyber threats, in plain language, is a necessity for effective oversight. “Board members are required to ask the hard questions and challenge the C-suite to drive and protect shareholder value,” he says. “Without a foundation, you don’t know what you don’t know.”
And at this point, board members agree they don’t know enough. Only 33% of directors think their board understands their company’s cyber vulnerabilities, according to a PwC survey—a huge hurdle to providing adequate governance.
Therefore, the first step toward effective oversight, especially in light of the coming SEC regulations, may not be for directors to add a cybersecurity expert, establish a cybersecurity committee, or even add more briefings of the full board.
Initially, they can and should gain a grounding in cybersecurity basics so they can not only ask the right questions but also understand the answers.