Two regulatory bodies have proposed new rules that hold corporate boards of directors more accountable for overseeing effective cybersecurity programs. The Securities and Exchange Commission’s (SEC) proposed rules cover most public companies, while the New York Department of Financial Services’ (NYDFS) proposed amendments target financial services firms registered in New York state. Both will significantly expand compliance obligations and may create legal risks for corporate boards of directors.

SEC proposed rule, titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, and the NYDFS proposed amendments, titled Cybersecurity Requirements for Financial Services Companies, will require that organizations disclose the cybersecurity expertise of board members and top executives as well as certify, in writing, the company’s cybersecurity and risk-management capabilities.

In proposing the changes, the regulators cited more frequent and pernicious cybersecurity incidents, high costs of response and remediation, risks of remote-work environments, and the ongoing drought of qualified tech workers. Another key factor: Increasing reliance on third-party service providers that may have inadequate cybersecurity programs.

Today, boards should understand that cybersecurity is a sustained business risk that demands strong corporate governance; it’s not simply an IT concern. In fact, Gartner found that 88% of directors said that cybersecurity is a business risk, not an IT issue. Board proficiency and participation in cybersecurity issues signals that an organization views cybersecurity as a core business requirement that must be driven from the top down.

Boards play a critical role in how organizations consider and manage cyber-risks as part of their fiduciary and oversight responsibilities. Directors approve cybersecurity policies, oversee cyber-risk management, and verify regulatory compliance. These oversight obligations – amplified by the new proposed rules – demand considerably more conversance in cybersecurity and risk-management practices than many boards have.

Board implications of proposed SEC rules

The SEC proposed rules require that organizations determine what role is responsible for oversight of cybersecurity risk: the entire board, specific board members, or a board committee. Organizations must also disclose the processes used to communicate cybersecurity risks and the frequency of security discussions with the board.

The proposed changes mandate numerous new disclosures, including a statement of directors’ cybersecurity expertise, updates on previously reported incidents, and reliance on third-party service providers.

What’s more, the proposed rules require that SEC registrants publicly identify individual directors and describe the nature of their cybersecurity expertise; whether by work experience, certifications, or degrees. The goal is to identify if there is a lack of cybersecurity expertise that can impede directors’ oversight capabilities and provide an incentive to improve board cyber acumen.

The proposed changes also stipulate that SEC registrants must disclose material cybersecurity incidents within four business days of discovery. This brief timeframe will require that boards have processes for understanding when incidents occurred, the impact, and the resolution. Also required are disclosures in annual reports, proxy statements, and other information on Schedule 14C, which mandates disclosure on the cybersecurity expertise of board directors.

Under the proposed rules, businesses will also be obligated to make periodic disclosures of cyber-risk management to the board, individuals, or a committee that oversees cyber-risks. These disclosures include:

• The company’s cyber-risk management program
• Use of third-party service providers
• Adequacy of third parties’ risk-management process
• Whether business continuity and disaster recovery planning is in place as a resilience measure
• Cyber risks or incidents that affect operations or financial performance
• The impact of cyber-risks on the company’s business strategy, financial planning, and capital allocation

Risks and rewards of SEC proposed changes

The SEC proposed rules can potentially raise directors’ risks of litigation and may increase their personal liability for cybersecurity incidents. In addition to oversight of cybersecurity risk management, organizations should review their directors and officers (D&O) insurance policy to ensure their liability risk are adequately covered. Furthermore, given the frequency and widespread predictability of cybersecurity incidents, directors should consider bolstering their personal liability policy and negotiating specific coverage.

In addition, because few organizations can investigate and understand material impact conclusively in just four business days, the requirement to do so – disclose material cybersecurity incidents within four business days – can create risks due to misstatements of cause and impact. Consider, for example, that forensic investigations into the root causes of incidents can take months to complete. As a result, businesses cannot immediately grasp the impact of cybersecurity incidents and may disclose false damages before the investigation is complete.

On the upside, the requirement to approve cybersecurity capabilities can motivate boards to engage independent third-party experts to validate their cyber-risk management program; and expanded board involvement can help instill and sustain an enterprise-wide culture of security.

NYDFS amendments for financial services firms

The amendments proposed by the NYDFS, which regulates financial services companies that operate in New York state, also aims to shift responsibility for governance and oversight of the cybersecurity program to boards and senior executives.

The amendments were designed to accelerate and refine reporting on material cybersecurity incidents, unauthorized privileged access, and incident impacts such as deployment of ransomware. They also call for tougher disclosures on extortion payments, due diligence of compliance programs, and investigative updates.

Under the proposed amendments, financial services firms will be required to implement and maintain a written cybersecurity policy that is approved annually by the board or a senior officer. They must also provide annual written certification supported by data that attests to compliance with NYDFS rules. If an organization fails to meet its compliance obligations, it should acknowledge non-compliance and demonstrate a good-faith commitment to remediate compliance deficiencies.

The proposed amendments take a more aggressive stance on incident reporting. Material cybersecurity impacts must be reported within 72 hours of discovery. Organizations must also describe whether the incident was caused by a third-party event, involved unauthorized access to privileged accounts, or deployed ransomware.

If a ransomware payment is made, firms must notify regulators within 24 hours. Within 30 days, businesses will need to explain why the extortion payment was made, what alternatives were considered, and their due diligence on compliance with rules such as those of the Office of Foreign Assets Control. Within 90 days of the notice of the cybersecurity incident, businesses must submit an investigative report to the NYDFS.

To help preserve business operations in the event of a cyberattack, organizations should update their business continuity and disaster recovery plans. Training should be provided for all stakeholders across functions.

Redefining CISO and board relationships

Implementation of these proposed regulatory changes will require that companies redefine and refine the working relationships among the board and chief information security officers (CISOs).

The CISO should be elevated from a technology role that is seen as a cost center to one that focuses on protecting company assets and addressing business risks. Security leaders should be empowered with adequate authority and agency to manage cyber-risks in a security program that is sufficiently funded. It’s also important to foster collaborative and cooperative relationships among CISOs and boards. The two factions should share a single goal: building resilience to cyber-risks.

Creating collaboration among CISOs and boards will require training, coaching, and mentoring for both directors and security leaders. Also necessary will be a common, non-technical language that simplifies discussion of complex cyber-risks and security. CISOs will need to learn to speak in business terms that the board and executives understand. Directors, for their part, should understand their cybersecurity responsibilities in a real-world context. Board participation in data-breach tabletop exercises with management and security leaders is one of the best ways to crystalize individual cybersecurity responsibilities.

Taken together, these measures can increase autonomy for the CISO, and that can be critical to retaining security leaders. Thanks to burnout, blame, and budget the average tenure of a CISO is a fleeting 18 months. The tech talent gap, meanwhile, is making it increasingly difficult to replace security leaders.

Conclusion

Strong governance and board leadership is critical to effective cybersecurity. The proposed regulatory changes will broaden the governance and oversight responsibilities of boards, force them to close the “knowledge gap”, and compel them to engage more effectively with security officers. While the new proposed rules are tough, compliance will help organizations build a resilient cybersecurity program and reduce risk.

Contact

Scott Corzine, Managing Director, Cybersecurity, Technology Risk and Privacy

703.744.8541

Bhavesh Vadhani, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418