The recently approved Security and Exchange Commission cybersecurity rules have many corporate boards strategizing how they will approach improving their cybersecurity defenses and complying with the new regulations. A report from cybersecurity consultancy Savanti offers advice to companies that want to meet those challenges.
The report from Savanti, Effective Board Governance of Cyber Security: A Source of Competitive Advantage, points out that cyber attacks globally are on the rise. The report states that one in six companies were attacked in the past year and ransomware attacks increased 200 percent between 2019 and 2021. Recent surveys have shown that corporate directors often list cybersecurity as a major concern but generally admit to not being as prepared to deal with the risks as they would like to be. Savanti offers five steps boards can take to improve their cybersecurity governance:
1. Make cybersecurity a regular agenda item so the board can gain a better understanding of the board’s role in cybersecurity governance.
2. Become better informed about technology, data and cybersecurity.
3. Have CIO or CISO report on cybersecurity risks to the board quarterly or more frequently if necessary.
4. Seek assistance from independent cybersecurity advisors.
5. Be open to collaborations between regulators, investors and the public that can improve cybersecurity.
Each company will develop a unique strategy if they choose to implement these five steps to improving cybersecurity governance. Critical to developing their strategy will be conducting an internal assessment of each board member’s ability to contribute to the improvement of cybersecurity governance – not to shame anyone, but to determine the board’s strengths and weaknesses on this critically important subject. If the board has several members with cybersecurity experience, it can set forth plans to put that experience to best use. If the board is lacking members with cybersecurity experience, it can make plans to recruit a member who can add guidance in that area.
Since the new SEC rules require companies to disclose “the board of director’s oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats,” greater attention should be given to this area sooner rather than later. Cybersecurity Ventures predicts the cost of cybercrime to reach $10.5 trillion annually by 2025. With these new rules in place, boards will be expected to play a large part in protecting their companies and investors from those losses.