The Securities and Exchange Commission has approved new rules that challenge corporate board members to take their company’s material cybersecurity risks more seriously. In addition to requiring speedy reporting of cybersecurity incidents, the new rules require “periodic disclosures about a registrant’s process to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks.” With regulators now requiring more transparency regarding cybersecurity risk, corporate boards have yet another governance responsibility that requires strategic planning and risk management experience.
Although directors seldom welcome having to provide additional disclosures, asking boards to give additional attention to cybersecurity risks is warranted. The Department of Homeland Security continues to monitor how large companies in key industries have been compromised by cyberattacks over the last few years. If the largest companies with vast resources are failing to repel cyberattacks, it can be reasoned that most companies should try to strengthen their defenses against cyber intrusions.
Here are some cybersecurity issues corporate boards should consider:
• Reporting cybersecurity defense measures to shareholders and stakeholders. With the new rules requiring disclosures about management’s role in assessing and managing material cybersecurity risks, and the board’s oversight of cybersecurity risks, the company strategy regarding how management and the board will work together to protect against material cybersecurity risks will need to be reviewed and updated. The disclosures will need to be transparent enough to satisfy regulators without exposing too much detail about how the company will react to and defend against a possible cyberattack. Informing investors that the company has put governance policies in place that can help prevent cyber incidents will go a long way in building confidence in the management team and the board of directors. Being transparent about what the board is doing lets all stakeholders know that the company is being proactive about this growing risk.
• Conducting an internal review of potential material cybersecurity risks. Determining where the company is vulnerable to cybersecurity risks is critical to mitigating the damage that a potential cyber incident can cause. Working closely with the Chief Information Security Officer (and perhaps cyber security consultants) the board must try to anticipate the worst possible cybersecurity lapses the company could face and develop strategies management can use to prevent those problems from occurring. They will also need to provide solutions that can keep the company operations functioning until any potential cyber incidents can be effectively dealt with. Once the company has developed strategies and procedures to deal with the company’s greatest cybersecurity risks, it has demonstrated its understanding of its duty to guard against material cybersecurity risks. This could be helpful if litigation arises from a future cybersecurity incident.
• Does the board have enough cybersecurity experience? The threat from cybersecurity incidents continues to rise. Experts are warning that artificial intelligence is being used to write code used in cyberattacks, so the threat is likely to continue expanding. Since corporate boards are now expected to exercise greater oversight of cybersecurity, it might be time to add a board member with cybersecurity experience.