Over the last few years, increasing regulatory pressure from the SEC and the FTC has pushed businesses across the country to increase board oversight in matters of cybersecurity. With the U.S. Securities and Exchange Commission’s (SEC) proposed rule changes in March of last year, publicly traded companies have much stricter reporting and disclosure requirements in regard to cybersecurity incidents and how the business is structured to respond to said incidents.
SEC Rule Changes
The proposed rules add new disclosure requirements in various public filings, requiring periodic reporting of “material” cybersecurity incidents and more detailed disclosure of organizational risk management practices. Form 8-K now requires that businesses disclose material cybersecurity incident within four (4) business days, and requires that the disclosure include the following details: the date the incident was discovered, the scope of the incident, whether data was accessed or taken by the actor, the incident’s impact on business operations, and plans for remediation. Thankfully, the four day stopwatch begins from the time that the incident is deemed “material” rather than when the incident occurred, so businesses still have time to perform triage and gather facts about the incident before disclosure is required.
Additionally, form 10-Q requires periodic updates be given to investors on previously disclosed cybersecurity incidents. This means that any significant updates following the initial disclosure must also be reported to investors in a timely manner. Form 10-K now requires the disclosure of the following:
- How existing cybersecurity policies and procedures identify and manage cyber risk,
- The extent of board governance over cybersecurity risks, and
- Expertise that the executive team has in evaluating and managing cybersecurity risks as well as implementing cybersecurity policies and procedures.
Feds cracking down on bad faith actors
Over the last year, the FTC has also started cracking down on companies and individuals that look to circumvent timely reporting obligations. In October of last year, Drizly CEO James Rellas was named in its complaint against the company in his individual capacity for failing to hire a senior executive to oversee security practices. This comes not long after the FTC settled its complaint with CafePress for covering up a major data breach resulting from its inadequate security practices. CafePress’ parent company Residual Pumpkin was ordered to implement a comprehensive information security program in addition to paying a $500,000 fine.
It’s clear from the writing on the wall that board members and executives need to have not only oversight in ensuring that cybersecurity is implemented across the organization, but they must also be active participants. In today’s world, lack of familiarity with cyber risk is no longer an excuse that will be tolerated. There needs to evidence of due diligence by all responsible shareholders in order to effectively manage cyber risk and to protect the business.
How CPM facilitates board oversight
When it comes to aligning the business and the board on issues of cybersecurity, the biggest need is visibility. Visibility into the current day-to-day security operations of the business is critical in establishing a shared understanding of the current security posture of the organization. We know of no better way to provide this kind of insight than Cybersecurity Performance Management (CPM), and Gartner® agrees. CPM relies on visibility into continuous performance against goals along with measures of consistency to create tremendous new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend. This kind of insight that CPM provides will revolutionize the way organizations manage cybersecurity in support of the business, especially as it relates to informing the board.
Fundamentally, CPM is a framework that ties cybersecurity performance to an organization’s strategic cyber objectives, measuring meaningful performance metrics – defined as Cybersecurity Performance Indicators (CPIs) – over time to ensure continuous monitoring of our risk, compliance, maturity, and ROI. It’s a data-driven approach to cybersecurity, leveraging existing tools that you already have to gain greater insight into your cybersecurity performance. These metrics empower decision makers by tracking the specifics of your performance with CPIs that measure key performance areas that are inherently indicative of your team’s overall performance. These metrics will also inform strategic investments that result in more efficient, targeted spending in cybersecurity improvements.
Boards of directors are now acutely aware of their active participation in this discussion, with almost half of Fortune 500 boards having cybersecurity as a strategic goal. Boards are asking better questions surrounding an organization’s cyber risk and how it is to be measured, to ensure directors are effectively able to carry out their duties. This requires greater investment in relevant reporting over time, but it also requires an alignment of risk appetites, lexicon, and future strategic direction for cybersecurity initiatives. It’s time to move our focus from amorphous measurements of the team’s activities in security to their achievement and value as it relates to the business.