The Securities and Exchange Commission (SEC) is finalizing new regulations that will expand on the Security Exchange Act of 1934, helping address the need for increased board transparency and expertise in cyber risk management. These regulations will require companies to greatly increase their public disclosure of their:
- Board’s Expertise: Businesses must include board directors’ cybersecurity resumes and experiences in public disclosures, such as Forms 10-K and 8-K
- Cybersecurity Management Practices: Businesses must disclose governance, risk analysis & management processes in SEC filings
- Details on Qualified Cyber Events: Businesses must disclose any SEC-qualified incidents (such as data breaches) within four days of discovering and qualifying the occurrence
These new rules are intended to ensure that business leaders are equipped with the knowledge and expertise needed to manage cybersecurity risks effectively. These rules also focus on improving accountability by forcing corporations to take ownership of any data breaches or other incidents.
The Growing Need for Cybersecurity Expertise on Corporate Boards
Cybersecurity threats increase in complexity and severity, putting boards of directors under ever-increasing pressure to provide sound oversight of the risk. Unfortunately, many boards lack the necessary expertise in this area. A recent study shows that up to 90% of companies in the Russell 3000 index do not have a single director with cybersecurity experience. This is an alarming statistic, especially when compared to the Fortune 100, which has 51% of its boards with relevant cybersecurity skills.
Why These Rules Matter for the Future of Cybersecurity
As cyber risks become more prevalent, the importance of governance concerning cybersecurity cannot be overstated. In the past 10-15 years, we’ve seen a surge in cyber incidents, from data breaches and ransomware attacks to phishing scams. So how can you ensure your organization is prepared for these threats? The answer lies in a strong cyber governance framework that focuses on mitigating risk and addressing potential issues before they become full-blown problems.
Organizations of all sizes need to have an effective approach to cyber governance. That starts with having someone with relevant cyber experience lead your cybersecurity program. An effective approach has clear strategies and policies that address the evolving threat landscape and comprehensive approaches that include people, processes, and technology. Having documentation in place that outlines policies can be a lifesaver. It is also essential for organizations to invest in technologies and tools such as firewalls and antivirus software to protect their systems from malicious attacks.
Every Board Needs a Cybersecurity Professional
Executive boards play an important role when it comes to managing cyber risk within an organization. The board needs to understand the technical aspects of cyberspace as well as the legal implications associated with it. They should also be familiar with current security trends and strategies so they can ask informed questions about any proposed measures or strategies put forth by management teams. Furthermore, boards should ensure that executives understand their roles and responsibilities when it comes to protecting data and systems from attack or exploitation by malicious actors. Finally, they should ensure that all personnel is adequately trained on cybersecurity topics such as password security practices and typical phishing schemes to help protect against future attacks.
With up to 90% of companies lacking even a single board member with a cybersecurity background, it is even more important for boards of directors and senior executives alike to understand the importance of good cyber governance to mitigate risk effectively within their organization. By investing in security tools and personnel, establishing clear policies, and more, you can ensure that all employees understand their roles and responsibilities when protecting data and systems from attacks. Following this rule will guarantee that boards have the necessary expertise to set their organization up with a successful security posture.