SEC disclosure laws proposed earlier this year stand to change the game for public company reporting of material cybersecurity incidents—any breach or hack that could influence a shareholder to buy or sell a stock would have to be disclosed within four business days. This is problematic: it can take months to determine the nature of a breach and its potential damage to share value.
For C-level officers, IT departments and investor relations teams, this will surpass the impact that Sarbanes-Oxley and the Enron scandals had 20 years ago that forced companies to adopt transparent “safe-harbor” reporting practices. The resulting SEC policies at the time forever set every enterprise on its heels, and always on the defensive about making “forward-looking statements.”
Direct areas of concern within the proposed rules include periodic disclosure of C-Suite executives’ “roles in implementing cyber incident policies and procedures” and board of directors’ roles in “cybersecurity expertise and risk oversight.”
These are vague standards when compared to the established compliance frameworks that most executives are familiar with such as PCI, ISO, SOC, HITRUST, FedRAMP, etc. These traditional “seals of approval” will continue to assure boards and external stakeholders that their companies adhere to world-class security best-practices. But SEC-enforced compliance is different in that material impact is open to legal interpretation by anyone from a single disgruntled employee to an opportunistic trial lawyer leading shareholders in class-action lawsuits that could prove more devastating than any security breach.
Whether or not these pending requirements become law, regulators are trending in this direction, and bank regulators have adopted similar rules. The potential for individual directors and officers to be held liable looms large and the stakes are high. CEOs need to adopt cybersecurity postures and programs that will not only adhere to stricter standards, but raise the bar in anticipation of what’s to come. The efforts to achieve future compliance will be complex and costly, and the legal and competitive consequences of falling behind the adoption curve are incalculable.
If the SEC’s proposed rule to report every breach within four days isn’t enough to get your attention, now there is case law that sets precedent for personal disclosure with the conviction of Uber’s former CSO Joe Sullivan for paying off hackers and failing to let the Federal Trade Commission know about it. Such risk exposure will now fall on the C-Suite and board, with the very real potential for individual directors and officers to be held personally liable for mishandling public reporting, or for simple negligence.
Chief executives and boards need to start managing the new risk governance paradigm immediately. Here are the primary strategic imperatives to lower the potential for personal liability and retribution:
• Refresh board seats with cyber-skilled officers.
If you don’t have a director with CISO experience already, that’s the next position you need to fill. Consider appointing your current CISO to the board and upgrading their title to Chief Trust & Risk Officer to elevate not just security, but reputation management and brand trust protection into your org chart. Be cautious of appointing other executives who may have only had oversight of security with the CISO reporting to them. This is unlikely to be sufficient for the SEC, as their level of security understanding is significantly lower than a former CISO’s.
• Expand boards to accommodate cyber expertise
If there was ever a reason to expand your board, this is it. To accommodate the impending mandates, and to tie security posture directly to strategic business objectives, getting cyber expertise ensconced within board authority is mission critical.
• Hire independent consultants to directly advise the board
Given the complexities of managing risk in today’s cloud-driven enterprise, custom solutions complementing strong legal posture are paramount. Hire consultants to advise the board directly, keeping them separate from the internal cyber team’s existing advisors. Your goal is to have advisors with sufficient experience in running a cybersecurity function to be able to determine if any deficiencies exist in your firm’s program, and to ensure the information being reported to the board by your in-house team is accurate. Board oversight and independence from daily security operations will improve performance and help support overall legal standing.
Review insurance policy and legal defense strategies
Cyber insurance has been maturing as a protective tactic against hacks and breaches. However, with the pending disclosure liabilities, industry actuaries will need to recalibrate the risks and benefits within all product, supply chain and cost structures. Don’t wait for the fiduciary and credit ratings crowd to sort it out. Get communications and legal teams in place and working their plans now.
Re-engineer governance and by-laws
Chief executives need to push their boards to write new by-laws outlining how security adherence will be governed internally—always different for every enterprise, and for many, probably the first time such priorities will be enshrined into corporate oversight policies.
The comment period for this round of rulemaking was over months ago, but the SEC recently extended the time for public input. Nevertheless, the clock is ticking for getting ahead of the law and controlling corporate and individual liabilities before the next inevitable breach. Doing nothing at this point may be the most expensive option.