This article has been co-authored by Dr. Ivano Bongiovanni, Lecturer in Information Security, Governance and Leadership & Lecturer in Design Thinking from the University of Queensland, and Ian Yip, founder and CEO at Avertro.
Following the US Securities and Exchange Commission (SEC) publication of its highly anticipated “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules, we delved into the key components and reflected on implications for organisations.
The main goal behind the rules’ adoption was the fostering of consistent cyber-related disclosures by registrants, with a view to help investors make more informed decisions.
Risk Management and Strategy
Organisations must disclose on an ongoing basis their strategies and processes to identify material risks arising from cyber-threats, resulting in enhanced transparency to cyber-risk management.
In doing so, companies offer investors a clearer understanding of their approach to, and preparedness against, cyber-threats, making their cyber-posture more explicit. Traditionally, external ‘signals’ of cyber-risk management have been more limited to certifications or declarations of alignment with existing standards and frameworks.
Earlier drafts proposed mandatory disclosure of cyber-expertise within boards, as well as specifications on the frequency of cybersecurity discussions at the board level.
These requirements have since been removed. Some view this as a way to ‘let boards off the hook’ when it comes to accountability; while others see it as a way to take an all hazard approach to enterprise risk management, in which cyber-risks are not different from other organisational risks (e.g., financial, WHS, etc.).
"We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise." (Securities and Exchange Commission)
However, organisations must disclose the board of directors' oversight of cyber-risks and management's expertise in assessing and managing material cyber-risks; they must demonstrate that appropriate steps are regularly taken to consider the impact of cyber-threats to the organisation.
This ‘softer’ approach may favour self-regulation: to excel, organisations may still seek cyber-expertise for their boards to differentiate themselves from competitors and provide assurance to investors.
Opponents of earlier requirements to offer granular information on the processes a company has in place to manage cyber-risks got their way, on grounds this gives cyber-criminals suggestions on how to bypass defences. For the same reason, the initially proposed “policies and procedures” was replaced by “processes”.
The final rules still require disclosure of processes to manage cyber-risks, but only with a view to offer a reasonable investor sufficient information to understand those processes. We anticipate that organisations will adopt a cautious approach in their disclosures.
Additional Pressure on CISOs
Some commentators point out, quite justifiably, that these disclosure requirements put more pressure on CISOs, a role that is already under significant pressure, potentially to the detriment of their health.
Considering the removal of the need to disclose cyber-expertise on boards, one can infer there is no requirement for a CISO to have a designated stakeholder at board level. On the other hand, this could boost the push towards re-designing reporting mechanisms and organisational charts to have CISOs directly report to CEOs. Optimistically speaking, the rule will likely strengthen cyber-risk conversations across organisations, particularly at mid, senior, and executive management, and help CISOs gain more "airtime".
Implicitly, this could lead to boards having an incentive to strengthen an internal composition that facilitates such conversations. Recent research has shown that current reporting practices tend to be quite mono-directional. Our hope is this evolves towards becoming bi-directional as a result of the increased scrutiny.
Material Cybersecurity Incidents
In the aftermath of a material cybersecurity incident, companies will be required to proactively disclose details, including its impact on operations, finance, performance, and other relevant aspects.
The underlying assumption is that investors need to have enough information to make decisions relating to a data breach that potentially impacts their investments. From a business standpoint, this drives us closer to a situation where cybersecurity performance factors into investment (and consumption) decisions.
Note that the definition of “material” can vary depending on the organisation, and is prone to subjectivity. In the aftermath of a breach, organisations will likely spend a significant amount of time determining if the incident was in fact “material” and thus subject to disclosure requirements.
We should give credit to the SEC for providing a pragmatic and independent approach in the adopted rules, especially by pushing back on recommended requirements which could have been seen as informed by commercial or similar purposes.
Moreover, despite a ‘softer’ approach when compared to the original proposal (March 2022), the new SEC rules are a step in the right direction, as accountability for cybersecurity at the board and managerial level has certainly expanded. While more regulation could increase the volume of compliance-based approaches, this rule does force better governance and strategic thinking (i.e. relying on audit findings and compliance-only cybersecurity approaches will no longer be enough). At the same time, it will be interesting to see how organisations will adapt, over time, to the new rules, as regulations tend to have a stronger impact in the short term.
Beyond the obvious implications for international companies doing business in the US that fall under SEC's remit, regulators in other parts of the world will most certainly be watching closely. The world tends to follow the US when it comes to cybersecurity trends and regulations. We can therefore expect increased pressure on boards and senior leadership from regulators in regions like Australia, Europe, the UK, Singapore, and other digital economies, to govern and manage cyber-risk properly.