The SEC recently proposed new cybersecurity disclosure rules for public companies. Under the new regulation, companies would be required to report material cyber incidents within four business days, disclose their cybersecurity governance practices and expertise, and provide periodic updates of previously reported cyber incidents.
Corporate Board Member asked public company board members participating in our May Director Confidence Index, conducted in partnership with the Diligent Institute May 16-20, to share their thoughts on the proposal. The general sentiment: Meh.
Directors don’t expect the proposal to bear too much impact on their organization. When asked to rate the effect of each dimension of the proposal, the data returned a balanced 2.8 out of 5 on a 5-point scale where 5 is “Great impact” and 1 is “Little to no impact.”
“We are prepared for any rule change,” said an independent healthcare director participating in our poll.
“We plan to discuss this at our next board meeting, but as a clothing manufacturer, cyber threats are not as severe for us as for some industries,” said Bill Korn, chairman of the audit committee at Jerash Holdings (US) Ltd.
“We already have a strong focus on cybersecurity,” said the audit chair of a software company.
Adopting a wait-and-see approach seems like the general consensus, with 63 percent of directors polled saying their board had discussed the proposal but much fewer having taken any other action to prepare.
Thirty percent said their board is looking to upskill current directors and executives on cybersecurity oversight and management as a result of the proposal, and 25 percent plan to bring in outside consultants to help them meet the proposed requirements.
Otherwise, 16 percent say they’ve done nothing to address the proposal. Perhaps the lack of a strong response isn’t surprising. After all, directors have been placing great focus on cybersecurity over the past decade. Data from our 2022 What Directors Think survey shows three-quarters of directors saying they are more concerned that their company will confront a cybersecurity/data breach crisis than any other crisis—and are therefore remaining hyper-vigilant in their oversight of cybersecurity.
“We already [do] most of this due to our previous experiences in this area,” said a survey respondent on the board of a healthcare company referring to the action items listed.
“We have engaged more with our cyber team and completed an audit,” said James Treco, lead director at Tonix Pharmaceutical.
“Companies that don’t take cybersecurity seriously are headed for trouble,” said a survey respondent whose board is planning to bring in consultants to help them meet the proposed requirements.
While very few (if any) scoff at the seriousness of cybersecurity, the idea of yet another one-size-fits-all regulation has many rolling their eyes and hoping it will go away.
“It’s overwhelming trying to keep up with the number of changes. Just crazy!” said Gary S. Olson, CEo and executive director at ESSA Bank & Trust. He says cybersecurity is just one of the SEC’s new requirements to which they are building a response.
“The proposed rules seem to be outside the SEC purpose. We already deal with many laws and regulations governing cyber and privacy practices. The proposed SEC rules will make the process more complex and more expensive, and not more effective,” said a participant in the survey who sits on the board of a financials company.
“It’s unnecessary and window dressing for the most part,” said another respondent.
“Well intentioned, but curious as to the continuing lack of clarity and comparability on material breach. The notion of creeping breach and materiality is also difficult. I truly hope that the SEC takes commentary received seriously,” said the audit chair of a company in the financials space.
Overall, directors say the proposal is, at best, oversimplified and that a nuanced approach would be more helpful.
“These rules are not necessary for all businesses. The greatest impact are retail concerns, and the rules should be tailored by industry,” said the chair and lead director of an energy company.
“The 4 day reporting is impractical in many cases given the time to assess potential impact and materiality,” said a director on the board of an industrials company.
“The SEC needs to be very specific in what constitutes board member cybersecurity expertise. When boards were required to add audit committee financial experts, the SEC offered a detailed checklist of experiences that qualified an individual. That would serve as a good model for cyber-related experience,” said the audit chair of a manufacturing company in the consumer discretionary sector.
Overall, when asked to rate their board’s level of expertise, education and knowledge of cybersecurity, relative to peers, directors gave themselves an on-par rating, at 3.2 out of 5, on a scale where 5 is “Ahead” and 1 is “Behind.”
“Being on par with other companies is not the standard we will need to meet. I believe all companies will need to become much better informed about cyber issues,” said Tonix Pharmaceutical’s Treco.
“If forced to quickly, we will struggle to find enough board members with relevant experience to truly make a difference,” said another director participating in the poll.
“It’s a fast-moving concern, and without specific talent/expertise at the employee level, there is no way an organization will be able to keep up,” said a director at a chemicals company.