The SEC Cyber Rule: Strategic Implications For Boards
Discover effective strategies to address the adaptive challenges and implications of the SEC cyber rule for board directors
As a first-time Dad of a baby girl, installing my first car seat was intimidating and a bit scary. I wanted to make sure I did it the right way and that she would be safe. Several youtube videos and multiple Sunday afternoons later, I felt comfortable the car seat was safe and secure. I imagine most first-time parents have a similar experience. Why do we go through the time and the effort to get it right?
As a parent, do you strap your kids into their car seat primarily because you don’t want to get a ticket or because you care about them and want to keep them safe? The former focuses on compliance and the latter, on commitment to caring. What does all of this have to do with the SEC cyber rule and its implications for board directors? Well, it serves as a foundation to illustrate the following central insights to help boards gain a deeper understanding of what the SEC cyber rule really means and what effective cyber risk oversight looks like
Three central insights are:
Compliance is crucially important but it can produce a false sense of trust (Theranos illustration)
Compliance without commitment (to underlying intent) can have unintended or unexpected consequences. (Greater story illustration)
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Driving the speed limit doesn’t mean you can’t have an accident, especially on an icy road - think black ice! And we wouldn’t think that because we know better since it’s our domain of experience. But when it’s not your domain of expertise or experience, then we tend to only rely on compliance standards. Example, green washing. Theranos receives FDA approval means the company’s product must be trust worthy and it must be good. This is especially true for board members. Trust or intended outcome in the case of the greater illustration story
Transition to compliance and commitment
Compliance and Commitment
Compliance is crucially important but it can produce a false sense of trust (Theranos illustration)
As mentioned earlier, compliance without commitment can have unintended or unexpected consequences.
Regulatory compliance standards offer meaningful benefits for business stakeholders. It tells us that companies are operating in accordance with the rules, requirements and standards set forth by the authorities and regulating bodies. When organizations are in compliance with these standards, we tend to trust them more. And when they’re not, we don’t. USDA certifies our chicken as organic, FDIC regulates our banks accordingly and FDA certifies our prescription drugs as safe and cyber compliance like HIPAA inspire digital trust. Therefore, compliance serves a crucial function that helps those without domain or industry knowledge of a specific organization or entity, trust the validity of their products and services.
Here’s the problem, without commitment to the underlying intent, compliance can create a false sense of trust especially, if a check-the-box mindset is the driving motivation for compliance. This can be particularly difficult to uncover with cyber compliance in the board room, where board directors, sometimes don’t have specific domain or industry knowledge.
Board directors sometimes are those that don’t have specific domain or industry knowledge and this is no different in the case of cyber compliance and specifically in the case of the SEC cyber rules. As a board director, if/when management/CEO presents information that says the organization is compliant with cyber regulation, we tend to trust it as we should. However, cyber compliance is not the same thing as security. Compliance regulation may be behind technology innovations and compliance can’t certify the ongoing commitment to doing the right thing.
As boards continue to provide oversight for cyber risks, this is an important insight to keep in mind. Organizations can be in compliance with cyber regulation standards and still suffer avoidable data breaches. And not because they falsified compliance but because they’re not keeping up with operational practices that help mitigate risks after going through a compliance effort.
It’s easy to confuse cyber compliance with security. But they are not the same thing.
black ice / speed limit compliance
Trust but verify
Security professionals know this
From a governance and oversight perspective, false compliance examples do exist. Theranos, Volkswagen dieselgate and questionable or fraudulent practices like Uber. That’s not what we’re referring to here.
Equifax breach and Target data breach. Compliance is not a substitute for cyber risk oversight. We shouldn’t say because we’re always compliant that means the bad guys have packed up and gone home. In addition to compliance, we also need commitment for effective cyber risk oversight both at the management and the board levels. Why? Because compliance without commitment can have profound second order implications
culture of breach disclosures
Compliance is not the same thing as commitment. For example, Theranos was apparently in compliance with FDA regulations when it received FDA approval for it’s simplex herpes test as reported by business insider amongst other media outlets. Theranos said in the report that this was the beginning and they were committed to keep getting FDA approvals for all their tests.
https://www.washingtonpost.com/news/wonk/wp/2015/07/02/fda-approves-theranos-9-finger-stick-bloodtest-for-herpes/
As a board director, if you were presented with the approval notice here https://www.accessdata.fda.gov/cdrh_docs/reviews/k143236.pdf, you would have no reason to believe non-compliance. Theranos was in compliance with the FDA rules at least for this one test. But hindsight is 20/20 and sometimes compliance is not enough.
Enron is another classic example of organizations that seek compliance without true commitment. Their auditors gave them a clean bill of health before they went down.
Their vision and mission statement reads as follows
Both compliance and commitment are needed for effective cyber oversight. So, what’s wrong with compliance? Nothing really. Compliance presents a technical challenge with a linear solution but can have unintended consequences if there’s no underlying commitment or misaligned motivation. Commitment speaks to motivation. Corporate example - Wells Fargo.
The SEC cyber rule has significant implications for board directors and presents both a technical and an adaptive challenge. The technical challenge is focuses on compliance with the new rule but the adaptive challenge is really a matter of commitment to effective cyber risk oversight and governance by the board.
Transition to adaptive challenge ——.
Board Leadership - Strategic Options
Compliance without commitment to intent can have unintended or unexpected consequences. (Greater story illustration)
Compliance without commitment can have profound second-order implications. (Solarwinds story illustration)
There are several second-order implications associated with cyber compliance especially disclosure compliance rules such as the new SEC cyber rules. When companies comply with disclosure rules, it has implications for corporate culture, board oversight, talent and business strategy. These are second-order effects that aren’t directly related to the compliance rules yet can have compounding negative impacts, if commitment is missing.
Commitment in the context of cyber risks and cyber security means doing the “right” thing for relevant stakeholders when it comes to protecting their digital assets and mitigating cyber risks. This means having consistent, intentional and proactive measures for managing cyber risks. Commitment speaks to the underlying intent and motivation, the why behind the compliance effort and not just the what that needs to be done for compliance or the how.
It is essentially a shift in mindset to why and out of a single mindset flows a thousand different kinds of behaviors. Without this level of commitment, organizations may tend to focus on compliance as a proxy for cyber security and underestimate the second-order implications. This is particularly true for board directors who may not be well versed in cyber matters. In this section, we focus on board cyber risk oversight (as opposed to culture, talent and strategy) as a second-order implication of compliance with the SEC disclosure rules.
A good example of compliance without commitment is the case of Solarwinds. In compliance with the old SEC guidelines, the company filed a form 8-K with the SEC that disclosed a data breach of its systems. However, it was incomplete as it didn’t disclose that some of its customers had suffered downstream data breaches as a result of its own compromised systems. But even if it was,
The SEC filed a complaint against Solarwinds and its CISO
First order is that you have to file disclosure to be in compliance, you can’t just decide to be silent to the SEC and the public. For the new rules, organizations now have a clock ticking and a 4 day timer is activated after materiality is established.
First order implies that organization is actively working to contain, mitigate, remediate and recover from the data breach in a timely fashion. And that they care about the stakeholders. There’s an implied trust that accompanies compliance with the SEC disclosure rules. Or at least there should be. But without underlying commitment, that trust may prove to be false. Trust may be violated. Trust but verify
The second-order implication is that the board is aware of the actions of the organizations and is providing effective oversight of cyber risks and not just compliance. In other words, that the board is operating with a commitment and not just a compliance mindset. If this turns out not be the case, the negative effects of compliance with the disclosure rules become compounded and amplified. Example: Investors filed a law suit against directors as reported by Reuters.
Not here to debate the actions of Solarwinds but simply use this example to highlight the need for compliance with commitment. The question would still be asked, what did the board know, when did they know it and what did they do about it. A broader strategic question would ultimately be asked of the board, what did they do to intentionally and proactively provide cyber risk oversight. The disclosure and the contrary public statements of the CISO also begs the question what was the corporate culture. Even if the form-8K was completely truthful and accurate, the oversight question will still be posed
Transition to compliance with commitment offers a better strategic approach.
emerge when organizations comply with disclosure rules and they can have a compounding negative effect.
Here’s a simple example that illustrates the point. Imagine a board director that sleeps consistently during some parts of board meetings. Yes, this has and does happen more often than we think. In theory, attendance at board meetings makes them in compliance with board meeting policies and rules. However, this compliance lacks the commitment to the intent behind the rules.
But what are the profound implications or unexpected consequences of this action? Second order implications? Well, the director’s po contributions
And although Brandon was in compliance with the requirement, he was unclear about the intent behind it and had gained mostly fat instead of muscle. That was not the coach’s intent. Compliance resulted in unexpected or unintended consequences. When he showed up at the weigh in he was laughed at when he took his shirt off. His compliance actually exposed his lack of deeper understanding of the requirement. He unintentionally created additional negative exposure for himself - to ridicule from his team mates and coach by gaining fat instead of muscle.
Like Brandon, organizations/boards that focus on the SEC cyber rule compliance without commitment to the underlying intent (investor trust in cybersecurity), may unintentionally create additional negative exposure for themselves. Case in point is Solarwinds Corporation.
Solarwinds was in compliance with SEC filing requirements and actually filed a form 8-K on December 14 2020 that disclosed a cyber breach. The form 8-K was signed by the CEO and incomplete though. However, the company was not committed to the intent and spirit of the filing, investor trust in the organization and its cyber security practices. The SEC filed a complaint against the organization as well as the CISO, alleging that the company misled investors about its cyber risks and cyber security practice. An important element of the allegations was the form 8-K that was filed. This is before the SEC rule goes active in December 2023
From a board perspective, a SEC filing may signal good compliance with the requirements but without an intentional commitment to exercise good cyber oversight, it’s near impossible to proactively unearth these types of management failures and leadership gaps. It’s a challenging problem as board directors should typically have their noses in but fingers out of the organization’s operational management activities.
Find different replacement story example for Greater.
Solving one problem, creates another one.
Transition to compliance with commitment offers a better strategic approach.
adequate domain expertise and
may expose gaps in the deeper understanding of the requirements. Compliance with the SEC disclosure requirements/rules may actually also reflect poor oversight at the board level if board commitment isn’t strong enough.
Elaborate on SEC compliance and board role with example disclosures
Compliance and Commitment (It’s Both)
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Transition to compliance with commitment offers a better strategic approach.
The question then becomes, how does the board begin to cultivate cyber commitment in the boardroom instead of just focusing on the SEC compliance regulations / cyber rules. Indeed, the SEC cyber rules may be viewed as gift that presents an opportunity for the board to intentionally elevate its commitment level to cyber security. There are three structural and foundational practices for boards to consider when thinking about their cyber commitment:
Align Cyber Mindset: Mindset influences behaviors and cyber commitment is reflected in the behaviors board directors engage in or demonstrated by the board. We heard one author put it this way “out of a single mindset flows a thousand different behaviors” Having a cyber mindset in the boardroom will influence the cyber commitment. Not an easy task. Trying to get everyone on the same page may prove to be a Herculean task. However if this isn’t achieved fully, then roadblocks tend to show up in board discussions when cyber-related actions and decisions must be made. But if most or all are aligned with the commitment mindset, then effectiveness increases
It’s like any other important initiative, if everyone aligns on the commitment mindset to go green, for example, then board discussions are more productive and progress is made. Same is true for cyber. It’s important to note that the board chair/lead independent director and/or other board leadership members play a vital role in aligning mindsets and must themselves model the cyber commitment mindset. The following three elements capture the mindset shifts that the board chair should inspire and model:
Compliance is not necessarily the same thing as cyber security or the brand’s digital trust.
Cyber is a strategic asset for the business - Profit lever and not just cost center
Cyber risk is business risk. It’s not an IT thing but an enterprise-wide item. Risk should be evaluated across the entire value chain including supply chain
Identify and Assess Current Board Commitment: We are yet to find a board director that will say they’re not committed to cyber security. Most will say they are committed to it and that it is important. Some may say they don’t have expertise and don’t feel confident that management can respond effectively. But, few if any, will say they’re not committed.
Yet board actions tell a different story. Most boards get cyber updates only once a year, spend about 20 minutes (based on our own experience) on cyber at board meetings. Few directors engage with their cyber chiefs to develop a relationship with them. Most boards prioritize other topics above cyber on board agendas. These actions don’t reflect commitment. But it’s difficult to see this when you’re in it. It’s easier to be objective about another board’s cyber commitment than it is about your own board.
This is why it’s important to identify and assess current board commitment. An independent assessment is ideal but even a cyber commitment self-assessment by board directors can be more effective than none. We offer the following essential components for conducting a board cyber commitment assessment:
Cyber Time - in the boardroom, board meeting agenda, board structure - committees, processes, board retreats, board orientation and on-boarding.
Cyber Expertise - continuous learning, experience and expertise in digital and cyber, skills and wills,
Customer Trust - brand reputation and digital trust with customers and other relevant stakeholders
Board Culture - hearing bad news and psychological safety
Cyber Relationships - building trusted internal and external relationships with cyber professionals.
Commitment levels for each of the above components should be calibrated in accordance with current and future business needs. In other words, the more critical digital is to your business the more increased commitment should be considered.
Define and Implement Required Changes: An assessment may find that you are at the right level of commitment for the business. But if there are gaps identified, then it may be beneficial to generate potential solution options and implement them. Below, we provide some solution options to consider for the more common findings for a board cyber commitment assessment:
Board Leadership - Strategic Options
Compliance without commitment to intent can have unintended or unexpected consequences. (Greater story illustration)
In the movie Greater, Brandon Burlsworth gained about 85 pounds in one year to be in compliance with his coach’s weight requirement so he could get on the football team at University of Arkansas. The coach had told him he wasn’t big enough and needed to be 300 pounds to play in the offensive line.
And although Brandon was in compliance with the requirement, he was unclear about the intent behind it and had gained mostly fat instead of muscle. That was not the coach’s intent. Compliance resulted in unexpected or unintended consequences when he showed up at the weigh in and was laughed at when he took his shirt off. His compliance actually exposed his lack of deeper understanding of the requirement.
Like Brandon, organizations that focus on the SEC compliance without commitment to the underlying intent may expose gaps in oversight at the board level as well as incompetencies or lack of deeper understanding of good cyber practices.
Board Leadership - Strategic Options
Conclusion - Text and contact/call to action
Residency approach that leverages board committees intentionally designed to build expertise for board directors through operational and experiential elements
The U.S. Securities and Exchange Commission (SEC) has adopted a new cyber rule for publicly traded companies. The new rule provides additional reasons for boards of directors to care about effective cyber risk oversight. The SEC rule has begun to formally shape the fundamental expectations and requirements of what effective board oversight of cyber risk looks like. The SEC disclosure rule comprises the following cyber risk dimensions:
