The SEC Cyber Rule: Strategic Implications For Boards

The Adaptive Challenge

First, it’s important to distinguish between the technical challenge and the adaptive challenge so we can establish common ground and alignment of terms because these two challenges call for very different types of solution strategies.

Technical Challenge: Compliance with the new SEC cyber rule can be regarded as a technical challenge; meaning, the solution to the challenge is known, direct and within the scope of the current capabilities of the board. Although some changes may be required by the organization, relatively fewer changes are required by the board for compliance. When it comes down to it, the boards of most large organizations will ask management to ensure they’re ready to comply with the new regulations, get a couple of updates on preparedness and move on to “higher priority” items (e.g. M&A, business strategy, etc.) on the board agenda. So yes, compliance in this context, is a technical challenge. And this challenge, for a lot of organizations, may itself be a heavy lift.

Adaptive Challenge: However, commitment to the new SEC cyber rule is really an adaptive challenge. An adaptive challenge is one that requires a solution that does NOT exist within the current scope of capabilities and requires a stretch. It requires a deeper perspective that concentrates attention at the root of the challenge to minimize or avoid variations of the same problem from recurring in unexpected ways. The solution to this adaptive challenge reflects a commitment to the spirit behind the regulation and to cyber risk implications for customers and investors and it is a different challenge altogether from the technical challenge. It’s a heavier lift and a higher standard with potentially higher payoffs.

It is different because it can’t simply be solved by asking and validating that management is prepared to comply with the new regulation. The solution requires board directors to step out of their current scope of capabilities and overcome some of the constraints to engaging with the current and emerging cyber risks facing their organizations. This is an adaptive posture for the board that evolves, adapts and changes with the changing and dynamic needs of the business and the cyber threat landscape. It’s a heavier lift and a higher standard with a solution that potentially has a higher payoff.

The adaptive challenge for board directors emerges from the difficulty in providing oversight in the face of of the three fundamental constraints of time, expertise and will. Some questions to help you identify the impact (if any) of these constraints include:

Board Time - Tackling the adaptive challenges described above requires a more structural and systematic approach. At the root of these challenges is the lack of time and energy devoted to cyber risk issues by the board. Board directors have a spectrum of competing priorities at board meetings. A typical cyber risk board update briefing is about 20 minutes or less, this leaves little to no time for meaningful discussion or questions. The exception of course is during a data breach or material incident.

So what can boards who are committed to effective cyber oversight do? What options do they have? There are several enhancements to existing structures and processes that may help but we favor and recommend the use of a committee structure to address the time challenge. Assigning a board committee to focus on cyber risk oversight discussions allows for a deeper and richer understanding of the true risks because the committees would have more time (more than 20 minutes) really discuss and ask probing questions and potentially receive meaningful responses. The level of board engagement and corresponding oversight becomes incredibly effective. The committee would then bring the resulting recommendations to the full board.

Board Time Questions: How much time is required to engage in meaningful oversight of cyber risk? Is the board giving it the time it requires?

The success of the committee largely depends on careful selection of the members and a mix of board expertise should be considered. Without the right expertise, then meaningful discussions can’t ensue and valuable insights are unlikely to emerge.

Cyber Expertise & Experience - Operational expertise and experience in cyber risk management is important for effective cyber risk oversight. Operational expertise means having experience and capabilities across multiple cyber risk/security functions and domains including, but not limited to, risk strategy, security operations, compliance, vulnerability/threat management. Operational expertise is not experience or capabilities in one cyber domain/function. Individuals with singular domain expertise may not have the broad perspective to help organizations and boards connect the dots between risk factors outside their singular domain.

For example connecting the dots between increased operational speed and cyber risk. A director with operational experience can help the board and organization with a different perspective that leverages cyber security as a strategic asset to increase time to value.

For example, high turnover of security operations personnel can easily lead to multiple incidents from configuration errors and mistakes that are part of the normal learning curve inherent in taking on a new role. The stress and oversubscription of a few good people is another dimension here. It’s a very engaged and savvy board director that will connect these dots in a meaningful way to provide effective oversight.

These are all things that should be examined and discussed prior to material incidents occurring.

When some underlying or structural elements are not being proactively addressed or when they’re not being addressed adequately then repeated incidents may occur. This becomes especially true if industry competitors are not having recurring or repeated incidents.

Experience also doesn’t mean just attending a single training course or certification. These are great foundations for providing actionable awareness for directors and they have their benefits especially as they get integrated into active board decisions. However, the board should retain at least one or two individuals that have operational cyber capabilities and/or leverage external consultants as needed.

Board Expertise - Does the board have enough operational expertise to provide independent and effective oversight? Business, leadership, talent expertise as it relates to cyber, not just pure cyber operational/technical

Board Action - Experience:

Board Expertise - So what should the board do about acquiring cyber expertise? The following two strategies provide answers to this question and should be considered by boards seeking to enhance their cyber expertise.

Learning Clinics: Improve and enhance cyber expertise through experiential learning that focuses on real world situations. The primary objective is to simulate the conditions directors will encounter when providing cyber risk oversight. The clinic should be delivered and facilitated by a capable cyber professional, preferably one with board service experience if possible. This allows for peer learning to occur at the right level and also helps avoid a common problem with cyber training for executives; mainly that training programs are sometimes overly technical in content and delivery. Instead, the learning clinic should leverage the power of real world cases, simulations and compelling stories that challenge directors. The clinics should cultivate an interactive and dynamic learning environment for directors.

Structural elements - relationships with CISO and other cyber risk related officers.

The key question is how does a director without the time, expertise and will commitment, help the organization to see around corners when it comes to cyber risks. How do they anticipate (as best as they can) some potential landmines and help management navigate the terrain. How do they help provide guidance and oversight. This is easier said than done and has some potentially significant consequences. At their worst, these two inhibitors may result in repeated material incidents that have to be disclosed that reveal the same cyber gaps or vulnerabilities. Example here

Turnover with security operations may be obvious but turnover with customer service may not be

sprawling providers and shadow IT

For example, high turnover of security operations personnel can easily lead to multiple incidents from configuration errors and mistakes that are part of the normal learning curve inherent in taking on a new role. The stress and oversubscription of a few good people is another dimension here. It’s a very engaged and savvy board director that will connect these dots in a meaningful way to provide effective oversight.

These are all things that should be examined and discussed prior to material incidents occurring.

When some underlying or structural elements are not being proactively addressed or when they’re not being addressed adequately then repeated incidents may occur. This becomes especially true if industry competitors are not having recurring or repeated incidents.

when they have a swarm of other value-creation priorities competing for their limited time.

Are we giving cyber the time it requires?

Do we really have the expertise to provide effective oversight?

Do we really know what we don’t know and what to do about it?