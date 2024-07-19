The evolving landscape of cybersecurity risks means different responsibilities and roles for boards – especially in light of the new SEC reporting rules. Pushback from numerous parties is commonplace, yet real-world data and scholarship show that a lack of cybersecurity expertise among board members hinders proper understanding and prioritization of cybersecurity risks. Cybersecurity suffers from large-scale misalignments in top-down and bottom-up coordination, prioritization and resourcing. The effects of such misalignments are manifold, with cybercriminals deftly exploiting gaps and seams to squeeze out data and dollars, now estimated at trillions of dollars per year. While many corporate boards are gaining familiarity about cyber risks and strategies, through table-top incident response exercises, off-sites and information sharing, dilemmas on cyber reporting and board expertise remain. Further, standard playbooks for incident response are still not well established and a sad pattern emerges: post breach, companies often scramble to remove C-suite executives and bring in external consultants to review suboptimal practices. Often, these efforts rely on lawyers whose counsel may preserve confidentiality or protect brand and leadership, but may also undermine desperately needed broad gains in cybersecurity.

Impact of SEC Rules Ultimately, the SEC’s rules do not force the requirement of cyber expertise on boards, but the four-day rule for material determination and reporting – which many entities also lobbied against – puts clear onus on boards to mainstream cybersecurity as part of their overall risk management program. Furthermore, public companies are now required to annually detail in their Form 10-K how the board oversees risks related to cybersecurity threats, as well as the role of management in evaluating and handling material risks. While there is a critical need for more than symbolic board prioritization of cybersecurity risks, gaps remain in explaining threats and the return on investment to the C-suite. Too often, executives are treated to complex technical jargon or litigious verbiage when plain business language is needed most. To date, much of the pushback from boards against cyber expertise requirements has fallen into one of the five fallacies, first detailed by Bob Zukis, CEO of the Digital Directors Network. One Size Fits All. False claim that the SEC proposed rule defines and dictates one approach for all companies on what constitutes a director with cybersecurity expertise One Trick Pony. Incorrect view that CISO’s have too narrow of a competency profile and skill set to contribute to the broader boardroom agenda Scarcity. Claim that the generally hyped cybersecurity skills shortage means there also aren’t enough cyber experts to go around in the boardroom Slippery Slope. Evidence free claim that director cybersecurity expertise disclosure or presence on the board will create negative and unintended consequences elsewhere Outside Expert. Mistaken belief that outside experts or management expertise is a suitable replacement for corporate governance that fails to recognize the purpose of corporate governance and the fact that fiduciary duties cannot be delegated Nonetheless, the trend towards board responsibility for cybersecurity is clear. For example, Part 500 of Title 23 of the New York Codes, Rules and Regulations (NYCRR), often referred to as the New York Department of Financial Services (DFS) Cybersecurity Regulation, which covers banking, insurance, and other entities operating in New York, requires board’s being informed on cybersecurity. CISOs must report in writing at least annually to the covered entity’s board of directors or equivalent governing body, including information on the overall effectiveness of the cybersecurity program and the material cybersecurity risks associated with the entity.

