The SEC Cyber Rule: Strategic Implications For Boards
Discover effective strategies to address the adaptive challenges and implications of the SEC cyber rule for board directors
As a first-time Dad of a baby girl, installing my first car seat was intimidating and a bit scary. I wanted to make sure I did it the right way and that she would be safe. Several youtube videos and multiple Sunday afternoons later, I felt comfortable the car seat was safe and secure. I imagine most first-time parents have a similar experience. Why do we go through the time and the effort to get it right?
As a parent, do you strap your kids into their car seat primarily because you don’t want to get a ticket or because you care about them and want to keep them safe? The former focuses on compliance and the latter, on commitment to caring. What does all of this have to do with the SEC cyber rule and its implications for board directors? Well, it serves as a foundation to illustrate the following central insights to help boards gain a deeper understanding of what the SEC cyber rule really means and what effective cyber risk oversight looks like
Three central insights are:
Compliance is crucially important but it can produce a false sense of trust (Theranos illustration)
Compliance without commitment (to underlying intent) can have unintended or unexpected consequences. (Greater story illustration)
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Driving the speed limit doesn’t mean you can’t have an accident, especially on an icy road - think black ice! And we wouldn’t think that because we know better since it’s our domain of experience. But when it’s not your domain of expertise or experience, then we tend to only rely on compliance standards. Example, green washing. Theranos receives FDA approval means the company’s product must be trust worthy and it must be good. This is especially true for board members. Trust or intended outcome in the case of the greater illustration story
Transition to compliance and commitment
Compliance and Commitment
Compliance is crucially important but it can produce a false sense of trust (Theranos illustration)
As mentioned earlier, compliance without commitment can have unintended or unexpected consequences.
Compliance is not the same thing as commitment. For example, Theranos was apparently in compliance with FDA regulations when it received FDA approval for it’s simplex herpes test as reported by business insider amongst other media outlets. Theranos said in the report that this was the beginning and they were committed to keep getting FDA approvals for all their tests.
https://www.washingtonpost.com/news/wonk/wp/2015/07/02/fda-approves-theranos-9-finger-stick-bloodtest-for-herpes/
As a board director, if you were presented with the approval notice here https://www.accessdata.fda.gov/cdrh_docs/reviews/k143236.pdf, you would have no reason to believe non-compliance. Theranos was in compliance with the FDA rules at least for this one test. But hindsight is 20/20 and sometimes compliance is not enough.
Enron is another classic example of organizations that seek compliance without true commitment. Their auditors gave them a clean bill of health before they went down.
Their vision and mission statement reads as follows
Both compliance and commitment are needed for effective cyber oversight. So, what’s wrong with compliance? Nothing really. Compliance presents a technical challenge with a linear solution but can have unintended consequences if there’s no underlying commitment or misaligned motivation. Commitment speaks to motivation. Corporate example - Wells Fargo.
The SEC cyber rule has significant implications for board directors and presents both a technical and an adaptive challenge. The technical challenge is focuses on compliance with the new rule but the adaptive challenge is really a matter of commitment to effective cyber risk oversight and governance by the board.
Transition to adaptive challenge ——.
Board Leadership - Strategic Options
Compliance without commitment to intent can have unintended or unexpected consequences. (Greater story illustration)
In the movie Greater, Brandon Burlsworth gained about 85 pounds in one year to be in compliance with his coach’s weight requirement so he could get on the football team at University of Arkansas. The coach had told him he wasn’t big enough and needed to be 300 pounds to play in the offensive line.
And although Brandon was in compliance with the requirement, he was unclear about the intent behind it and had gained mostly fat instead of muscle. That was not the coach’s intent. Compliance resulted in unexpected or unintended consequences. When he showed up at the weigh in he was laughed at when he took his shirt off. His compliance actually exposed his lack of deeper understanding of the requirement. He unintentionally created additional negative exposure for himself - to ridicule from his team mates and coach by gaining fat instead of muscle.
Like Brandon, organizations/boards that focus on the SEC cyber rule compliance without commitment to the underlying intent (investor trust in cybersecurity), may unintentionally create additional negative exposure for themselves. Case in point is Solarwinds Corporation.
Solarwinds was in compliance with SEC filing requirements and actually filed a form 8-K on December 14 2020 that disclosed a cyber breach. The form 8-K was signed by the CEO and incomplete though. However, the company was not committed to the intent and spirit of the filing, investor trust in the organization and its cyber security practices. The SEC filed a complaint against the organization as well as the CISO, alleging that the company misled investors about its cyber risks and cyber security practice. An important element of the allegations was the form 8-K that was filed. This is before the SEC rule goes active in December 2023
From a board perspective, a SEC filing may signal good compliance with the requirements but without an intentional commitment to exercise good cyber oversight, it’s near impossible to proactively unearth these types of management failures and leadership gaps. It’s a challenging problem as board directors should typically have their noses in but fingers out of the organization’s operational management activities.
Find different replacement story example for Greater.
Solving one problem, creates another one.
Transition to compliance with commitment offers a better strategic approach.
adequate domain expertise and
may expose gaps in the deeper understanding of the requirements. Compliance with the SEC disclosure requirements/rules may actually also reflect poor oversight at the board level if board commitment isn’t strong enough.
Elaborate on SEC compliance and board role with example disclosures
As a first-time Dad of a baby girl, installing my first car seat was intimidating and a bit scary. I wanted to make sure I did it the right way and that she would be safe. Several youtube videos and multiple Sunday afternoons later, I felt comfortable the car seat was safe and secure. I imagine most first-time parents have a similar experience. Why do we go through the time and the effort to get it right?
As a parent, do you strap your kids into their car seat primarily because you don’t want to get a ticket or because you care about them and want to keep them safe? The former focuses on compliance and the latter, on commitment to caring. What does all of this have to do with the SEC cyber rule and its implications for board directors? Well, it serves as a foundation to illustrate the following central insights to help boards gain a deeper understanding of what the SEC cyber rule really means and what effective cyber risk oversight looks like
Three central insights are:
Compliance is crucially important but it can produce a false sense of trust (Theranos illustration)
Compliance without commitment can have unintended or unexpected consequences. (Greater story illustration)
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Driving the speed limit doesn’t mean you can’t have an accident, especially on an icy road - think black ice! And we wouldn’t think that because we know better since it’s our domain of experience. But when it’s not your domain of expertise or experience, then we tend to only rely on compliance standards. Example, green washing. Theranos receives FDA approval means the company’s product must be trust worthy and it must be good. This is especially true for board members. Trust or intended outcome in the case of the greater illustration story
Transition to compliance and commitment
The Adaptive Challenge
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Compliance continues to sit in the audit committee, commitment goes across multiple committees (compensation, technology, finance, etc)
First, it’s important to distinguish between the technical challenge and the adaptive challenge so we can establish common ground and alignment of terms because these two challenges call for very different types of solution strategies.
Technical Challenge: Compliance with the new SEC cyber rule can be regarded as a technical challenge; meaning, the solution to the challenge is known, direct and within the scope of the current capabilities of the board. Although some changes may be required by the organization, relatively fewer changes are required by the board for compliance. When it comes down to it, the boards of most large organizations will ask management to ensure they’re ready to comply with the new regulations, get a couple of updates on preparedness and move on to “higher priority” items (e.g. M&A, business strategy, etc.) on the board agenda. So yes, compliance in this context, is a technical challenge. And this challenge, for a lot of organizations, may itself be a heavy lift.
Adaptive Challenge: However, commitment to the new SEC cyber rule is really an adaptive challenge. An adaptive challenge is one that requires a solution that does NOT exist within the current scope of capabilities and requires a stretch. It requires a deeper perspective that concentrates attention at the root of the challenge to minimize or avoid variations of the same problem from recurring in unexpected ways. The solution to this adaptive challenge reflects a commitment to the spirit behind the regulation and to cyber risk implications for customers and investors and it is a different challenge altogether from the technical challenge. It’s a heavier lift and a higher standard with potentially higher payoffs.
It is different because it can’t simply be solved by asking and validating that management is prepared to comply with the new regulation. The solution requires board directors to step out of their current scope of capabilities and overcome some of the constraints to engaging with the current and emerging cyber risks facing their organizations. This is an adaptive posture for the board that evolves, adapts and changes with the changing and dynamic needs of the business and the cyber threat landscape. It’s a heavier lift and a higher standard with a solution that potentially has a higher payoff.
The adaptive challenge for board directors emerges from the difficulty in providing oversight in the face of of the three fundamental constraints of time, expertise and will. Some questions to help you identify the impact (if any) of these constraints include:
Board Leadership - Strategic Options
Compliance without commitment to intent can have unintended or unexpected consequences. (Greater story illustration)
In the movie Greater, Brandon Burlsworth gained about 85 pounds in one year to be in compliance with his coach’s weight requirement so he could get on the football team at University of Arkansas. The coach had told him he wasn’t big enough and needed to be 300 pounds to play in the offensive line.
And although Brandon was in compliance with the requirement, he was unclear about the intent behind it and had gained mostly fat instead of muscle. That was not the coach’s intent. Compliance resulted in unexpected or unintended consequences when he showed up at the weigh in and was laughed at when he took his shirt off. His compliance actually exposed his lack of deeper understanding of the requirement.
Like Brandon, organizations that focus on the SEC compliance without commitment to the underlying intent may expose gaps in oversight at the board level as well as incompetencies or lack of deeper understanding of good cyber practices.
Board Leadership - Strategic Options
Conclusion - Text and contact/call to action
Residency approach that leverages board committees intentionally designed to build expertise for board directors through operational and experiential elements
The U.S. Securities and Exchange Commission (SEC) has adopted a new cyber rule for publicly traded companies. The new rule provides additional reasons for boards of directors to care about effective cyber risk oversight. The SEC rule has begun to formally shape the fundamental expectations and requirements of what effective board oversight of cyber risk looks like. The SEC disclosure rule comprises the following cyber risk dimensions:
