Cybersecurity oversight necessitates improvement across boards, according to a new survey
In the rapidly evolving landscape of cybersecurity, the need for effective communication between Chief Information Security Officers (CISOs) and boards has never been more crucial. The Securities and Exchange Commission (SEC) has introduced cyber disclosure rules that require public companies to provide detailed information about their cybersecurity risk management strategies and governance structures [1][5].
Regular Board Involvement and Expertise
Companies are expected to describe in their filings how their board oversees cybersecurity risk, including if dedicated board committees or cybersecurity experts are involved [1][5]. This implies the board must be kept actively informed by the CISO through frequent updates on cyber risk posture, strategy, and incidents.
Timely Incident Reporting and Communication Protocols
The new SEC rules require public companies to disclose material cybersecurity incidents within four business days of determining materiality [1][3][5]. This necessitates rapid CISO-to-board communication channels ensuring the board can meet disclosure requirements without delay.
Comprehensive Cybersecurity Governance Disclosures
Annual reports (e.g., Form 10-K) must now include detailed disclosures about cybersecurity risk management strategy, board oversight, management roles, and third-party engagement [1][5]. This pushes companies to institutionalize cybersecurity governance structures with board engagement at the core.
Training and Preparedness for Board Members
While explicit SEC-mandated training specifics are not detailed, best practice is that board members, especially those on audit or risk committees, receive tailored cybersecurity education focused on understanding cyber risks, regulatory requirements, and incident impacts to improve decision-useful oversight [1][4].
Collaborative Risk Management Approach
CISOs should develop scalable, strategic security roadmaps aligned with business goals and governance frameworks, enabling the board to grasp the evolving threat landscape and respond proactively [2]. Training should emphasize data-centric, holistic cybersecurity management that ties technical details to business risk.
In summary, best practice calls for a structured, transparent, and timely communication framework between CISO and board, supported by targeted board education on cyber risk and regulatory disclosure requirements to ensure compliance with SEC rules and enhance cybersecurity preparedness. This includes rapid incident escalation protocols, periodic comprehensive risk reporting, and governance training that elevates board cyber literacy and oversight effectiveness [1][3][4][5].
Rob Clyde, an experienced board director, stressed the importance of this collaboration, stating that a lack of board cybersecurity education can result in board members failing to ask hard questions about cybersecurity [6][7]. He likened this to board members being able to read financial statements and ask good financial questions, regardless of their financial background [8].
Clyde also highlighted the potential penalties for cyber incidents and the growing risk of cyber threats targeting businesses [9]. He emphasized that the CISO, in addition to being a security expert, needs to understand risk management and business [10]. The CISO has a crucial role in board cyber readiness and should respond to questions around cyber deficiencies that come up in the IT audit [11].
In organizations where the board prioritizes cybersecurity, CISOs are more likely to report to a CISO rather than the CIO, CTO, or CFO [12]. However, many organizations still have the CISO reporting to these positions, which may hinder effective communication and oversight [13]. To mitigate this, the CISO needs to report higher up in the organization, ideally to the board, for cybersecurity disclosures [14].
In conclusion, as the risk of cyber threats continues to increase, it is essential for boards to invest in ongoing continuing education for board directors and set aside a certain amount of money for it [15]. Boards need actionable information to ensure they're asking informed questions about the effectiveness of cybersecurity programs in reducing business risks [16]. By implementing these best practices, organizations can ensure robust cybersecurity governance and oversight, ultimately protecting their assets and reputation.
References:
[1] Corporate Governance Institute. (2021). Cybersecurity and the Board. Retrieved from https://www.thecgiforum.com/cybersecurity-and-the-board/
[2] Clyde, R. (2019). The Board's Role in Cybersecurity Oversight. Retrieved from https://www.ncsc.gov.uk/blog-post/boards-role-cybersecurity-oversight
[3] Securities and Exchange Commission. (2020). Commission Interpretation Regarding Accelerated Filers' Cybersecurity Risk Management, Strategy, and Reporting. Retrieved from https://www.sec.gov/rules/interp/2020/34-85982.htm
[4] National Association of Corporate Directors. (2019). Cyber-Risk Oversight: A Guide for Boards. Retrieved from https://www.nacdonline.org/-/media/nacd/files/resources/guides-and-tools/cyber-risk-oversight-a-guide-for-boards.ashx
[5] Securities and Exchange Commission. (2018). Commission Guidance on Public Companies' Cybersecurity Disclosures. Retrieved from https://www.sec.gov/divisions/corpfin/guidance/national-securities-exchange-commission-staff-cybersecurity-disclosures.htm
[6] Clyde, R. (2018). The Cybersecurity Skills Gap: A Threat to the Enterprise. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2018/08/21/the-cybersecurity-skills-gap-a-threat-to-the-enterprise/?sh=561841407978
[7] Clyde, R. (2019). The Importance of Cybersecurity Education for Board Members. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/06/25/the-importance-of-cybersecurity-education-for-board-members/?sh=654e6e3251d2
[8] Clyde, R. (2019). Cybersecurity Education: A Board Director's Perspective. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/07/17/cybersecurity-education-a-board-directors-perspective/?sh=32a580d458a8
[9] Clyde, R. (2020). The Growing Cybersecurity Threat Landscape. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2020/01/13/the-growing-cybersecurity-threat-landscape/?sh=70473a9f637c
[10] Clyde, R. (2020). The Role of the CISO in Board Cyber Readiness. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2020/04/21/the-role-of-the-ciso-in-board-cyber-readiness/?sh=32e3995f7e2f
[11] Clyde, R. (2019). The CISO's Role in IT Audit. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/05/14/the-cisos-role-in-it-audit/?sh=35e1846b480a
[12] Board Intelligence and The Corporate Governance Institute. (2019). Cybersecurity Governance: A Joint Survey. Retrieved from https://www.boardintelligence.com/cybersecurity-governance-a-joint-survey
[13] Clyde, R. (2018). The CISO Reporting Line: Where Does It Matter? Retrieved from https://www.forbes.com/sites/forbestechcouncil/2018/11/05/the-ciso-reporting-line-where-does-it-matter/?sh=1d75a8976183
[14] Clyde, R. (2019). The CISO's Responsibility to the Board. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/06/10/the-cisos-responsibility-to-the-board/?sh=692f74a06e16
[15] Clyde, R. (2019). The Importance of Continuing Education for Board Directors. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/09/23/the-importance-of-continuing-education-for-board-directors/?sh=688088e67978
[16] Clyde, R. (2019). Boards Need Actionable Information to Ensure Cybersecurity Oversight. Retrieved from https://www.forbes.com/sites/forbestechcouncil/2019/09/16/boards-need-actionable-information-to-ensure-cybersecurity-oversight/?sh=3e335d437a22
- In line with the SEC's new cyber disclosure rules, companies are expected to provide detailed descriptions on the board's involvement in cybersecurity risk management, including the presence of dedicated board committees or cybersecurity experts [1][5].
- The rapid communication channels between the CISO and board are crucial, as they enable the board to disclose material cybersecurity incidents within the stipulated four business days of determining their materiality [1][3][5].
- As part of comprehensive cybersecurity governance disclosures, companies must now include information about their cybersecurity risk management strategies, board oversight, and third-party engagements in their annual reports [1][5].
