New SEC Cyber Rules Put Boards and Executives on Alert
Board and executive accountability around cyber risk has become Topic A for corporate leaders. Judith Germano, of NYU’s Center for Cybersecurity, unpacks the challenges.
In early March, the SEC proposed rule changes that would require public companies to provide enhanced disclosure about cybersecurity incidents, risk management, and strategy. The proposal has pushed companies and boards to contemplate how to prepare for this new scrutiny.
Some security experts say this kind of oversight—in a new era of more frequent and severe cyber threats—should become part of a suite of best practices for company executives
Few cybersecurity leaders understand the public and private sector issues like Judith Germano. A former federal prosecutor and a distinguished fellow at NYU’s Center for Cybersecurity, as well as an adjunct professor at the university’s School of Law, Germano will lead an all-women, expert panel on the topic on Tuesday, July 12, for NYU’s Women Leaders in Cybersecurity.
The panel will focus on increasing board and executive accountability on issues around cyber risk. It will feature top women cybersecurity leaders from the public and private sectors. Among them: Carolyn Welshhans, acting chief of the SEC’s Crypto Assets and Cyber Unit, and Jocelyn Hunter, vice president and deputy general counsel at The Home Depot.
Germano, founder of a boutique woman-owned-and-operated law firm that advises companies and boards on cybersecurity risk and strategy, federal enforcement and regulatory compliance, and criminal and civil investigations and litigation, spoke to Endpoint about the key lessons business and tech leaders need to learn about the evolving cybersecurity regulatory climate.
Why is it crucial that boards increase their oversight and involvement in cybersecurity?
Cybersecurity is one of the most critical issues facing companies today, impacting public health and safety, sensitive information, financial controls, and business operations. Cybersecurity must be a priority at the board and executive level for the benefit of the company and its stakeholders.
Over the past several years, we have seen increased accountability for boards in civil cases and regulatory enforcement actions. This underscores the need for boards to ensure the companies they oversee not only have the right cybersecurity protocols and protections in place but also are taking reasonable efforts to ensure they are being followed.
Can you explain the upcoming increased oversight of cybersecurity by the SEC? Why is this happening now? What can and should boards do to prepare?
In March 2022, the SEC proposed rules enhancing public companies’ disclosure requirements regarding cybersecurity risk management, strategy, governance, and incident reporting.
All too often companies and their leaders are judged after the fact,
as if the event proceeded in slow motion, and that is often not a realistic lens.
Those rules are still in the comment period and, as proposed, require, for example: filing a Form 8-K within four business days of a material cybersecurity incident; periodic disclosures on policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, the board’s cybersecurity expertise and oversight of cybersecurity risk; and updates on previously reported incidents.
This is part of the trend we have seen over the past several years, of regulators and civil litigants calling for increased accountability of boards and senior management regarding cybersecurity.
To prepare, boards need to be well versed on cybersecurity risk and responsibility for their organization and industry and board-level best practices. This includes having board members and external advisers with cybersecurity expertise, regular updates on cybersecurity risks and incidents, and sufficient oversight and escalation protocols to understand management’s handle on ever-changing cybersecurity risk and strategy.
[Read also: As cyber crisis mounts, CISOs and boards must learn to communicate]
While boards should not be involved in day-to-day management activities of the company, they do need to understand that the teams who are responsible for cybersecurity at the company have the right expertise or sufficient external assistance and tools to properly manage cybersecurity. Boards need to oversee what the company is doing to prevent, detect, and respond to attacks, to reasonably assure themselves not only that plans and programs exist but also that they are followed. This is part of a board’s obligation under the business judgment rule.
Are there downsides to increased accountability and oversight by boards and executives on the issue of cybersecurity?
Cybersecurity is difficult, and the challenges are mutable. Responding to cybersecurity incidents includes many unknowns, variables, and fast-developing crisis response. It is important that courts, regulators, and civil litigants understand those challenges. All too often, companies and their leaders are judged after the fact—as if the event proceeded in slow motion—and that is often not a realistic lens. Unreasonable levels of accountability and oversight can risk reducing effective incident response.
The people best equipped to help companies navigate these issues may be less willing to serve
Risks include delaying definitions of what is a material incident for fear of triggering a reporting event; exposing vulnerabilities in public filings before the impacted companies and individuals have been notified and given an opportunity to respond and address the vulnerability; publicly revealing to threat actors which companies are the softest targets; and undermining the needed trust for effective public-private partnerships in cybersecurity.
Also, if standards and levels of accountability extend beyond traditional, reasonable protections afforded boards for upholding their fiduciary duties, this would hinder good cybersecurity by reducing transparency at the board level, and also because the people best equipped to help companies navigate these issues may be less willing to serve on boards.
Do you have any examples of boards that have gotten this right? Or missteps or screwups?
There are numerous examples of boards and executive leadership teams who have gotten cybersecurity right—those are the ones not in the newspapers or public record. There also are many examples of missteps, where boards and executive teams have failed to prioritize cybersecurity, document good practices, or follow procedures. It is essential to have the right internal and external expertise before cybersecurity incidents occur, to identify, respond to, and learn from cybersecurity incidents. Good judgment, strong internal and external communications, and leadership skills are essential for effective cybersecurity incident response.
What is your goal with this event? What is your main theme and message? What do you want participants to learn? What are the key takeaways?
We are bringing together an interdisciplinary panel of experts from government, industry, and academia to explore key cybersecurity issues and challenges facing boards, executives, and their advisers.
Diverse expertise and backgrounds on boards, executive leadership teams, and in cybersecurity more broadly, are essential to achieve the best results.
Our panel includes experienced attorneys, corporate board members, a CISO, and an experienced SEC enforcement attorney who leads the SEC’s cyber unit. The panel brings together years of cybersecurity and business strategy expertise across multiple industry sectors.
Key takeaways include understanding current trends and risks impacting board and executive team responsibility, and best practices for managing those risks. We will discuss the recent proposed SEC cybersecurity guidance and its implications; cybersecurity best practices, including in the context of the business judgment rule and recent regulatory and civil actions; challenges including workforce limitations; and strategies for improving cybersecurity preparedness and response.
[Read also: 5 charts that show it pays to prevent a cyberattack rather than fight one]
Another key takeaway is the importance of diversity of experience and perspectives, and identifying and cultivating cybersecurity talent from diverse pipelines. That is something we focus on with the Women Leaders in Cybersecurity program and at NYU’s Center
Let’s talk a bit more about women in cybersecurity. This is an all-women panel. Why is increased representation of women in leadership positions in cybersecurity so important?
I have had the honor to lead the Women Leaders in Cybersecurity program at NYU since 2016, bringing together leading women from government, industry, and academia for interdisciplinary discussions on critical cybersecurity issues.
Our website, womenleadersincybersecurity.org, shows our current and prior events and the many amazing women who have shared their expertise as part of these programs over the years and who
are making cognizable differences to improve their organizations
and the field.
Diverse expertise and backgrounds on boards, executive leadership teams, and in cybersecurity more broadly, are essential to achieve the best results not just in cybersecurity but also with regard to an organization’s ethics, strategy, leadership, and effective risk management. Effective cybersecurity is critical for organizations and government, and we need to develop, train, and promote diverse teams and leaders to address this program most effectively.
Member, Board of Directors
Axon; Heartflow, Inc.; SADA; OPSWAT;
Vice President and Deputy General Counsel
The Home Depot
Advisory Board, Duke Law Center for Judicial Studies
Chair of the Board; Chair of Compensation
Chair of the Safety, Sustainability and Technology Committee,
Board of Directors
Senior Vice President, Chief Information Security Officer
Associate Director, Division of Enforcement
Acting Chief, Crypto Assets and Cyber Unit
U.S. Security and Exchange Commission
Judith H. Germano (Moderator)