How the SEC has elevated cyber governance: What boards should know

Competently overseeing cybersecurity risk and management is now a fiduciary duty of care, requiring both proactive and reactive disclosures.

Cyber governance illustration on a blue screen

If a great majority of today’s corporate assets are digital and nearly 100% are managed and protected by digital systems, let’s agree our corporate world is, well, digital. And if AI-driven bots are indiscriminately and exceedingly successful at compromising these digital systems, let’s agree that cybersecurity risk is therefore our most formidable and ubiquitous risk.

It makes sense. All our assets are vulnerable to the AI-supercharged efforts of threat actors using sophisticated tradecraft to wreak havoc on our digital assets and the systems that host them. Get to our systems and data and you can bring the organization to its knees.

That’s why the SEC considers the disclosure of material cybersecurity risks – and how management and the board evaluate risks and oversee the cybersecurity program – as critical to the investment decisions made by investors. That’s also why cyber incidents must now be disclosed within four days after they are determined to be material.

This two-sided view of cyber risk, requiring both proactive and reactive disclosures, elevates cybersecurity governance from the Office of the CISO right into the laps of management and the board. It forces companies to align the forward-looking material risks they disclose in annual reports, 10-Ks, and 10-Qs with how they disclose material incidents in 8-Ks, because SEC enforcement actions can bite from both sides.

If, say, a material supply chain cyber risk was not disclosed to investors, and that risk turned out to be the root cause of a material breach, the SEC will want to understand if a risk that was exploited by threat actors should have been disclosed.

SEC cybersecurity compliance now requires alignment of risk and incident disclosure, a documented process for establishing materiality, and effective disclosure controls.

All of this means that cybersecurity governance has ascended from a “technical” endeavor to a board governance imperative. Competently overseeing cybersecurity risk and management is now a fiduciary duty of care. It expands the number of those who will be named in post-breach lawsuits. And it probably will compel smart CISOs to demand to be named as insured on the company’s D&O insurance policy as a threshold personal risk management requirement.

If they are to effectively govern cyber risk, boards should seriously consider adding to their cyber knowledge quotient by filling the next opening with a cyber-conversant member, as well as engaging a third-party advisor that is independent from consultants used by the management team. Companies should model an independent relationship between the CISO and the board risk management committee after that same unfettered relationship between the CFO and the audit committee. And companies should better train board members in the basics of cybersecurity to evidence that they take seriously that cybersecurity risk is the most consequential to board members’ fundamental responsibility as stewards of company assets.

Learn more about what boards should be doing in the face of today’s cyber threats and mandates, and contact our team for more information on how to get started.


Get in touch with our specialists

View All Specialists
scott corzine headshot

Scott Corzine

Managing Director, Cybersecurity, Technology Risk and Privacy
Bhavesh Vadhani

Bhavesh Vadhani

CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

Looking for the full list of our dedicated professionals here at CohnReznick?



Let’s start a conversation about your company’s strategic goals and vision for the future.

Please fill all required fields*

Please verify your information and check to see if all require fields have been filled in.

Please select job function
Please select job level
Please select country
Please select state
Please select industry
Please select topic

Related services

Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.