The SEC Cyber Rule: Strategic Implications For Boards
Discover effective strategies to address the adaptive challenges and implications of the SEC cyber rule for board directors
As a parent, do you strap your kids into their car seat primarily because you don’t want to get a ticket or because you care about them and want to keep them safe? The former focuses on compliance with the law and the latter, on commitment to caring. What does all of this have to do with the SEC cyber rule and its implications for board directors? Well, it illustrates two different perspectives for boards - compliance vs commitment.
The primary objective of this article is to equip board directors with three central insights related to these two perspectives. Ultimately, our hope is that these insights will inform intentional actions that will increase effectiveness of cyber risk oversight.
Three central insights are:
Compliance is crucially important but it can produce a false sense of trust.
Compliance without commitment (to the underlying intent) can have compounded second-order implications.
Compliance and commitment offers a better strategic approach than compliance alone.
1. Compliance (SEC Cyber Rules)
Compliance is crucially important. Regulatory compliance standards offer meaningful benefits for business stakeholders. It tells us that companies are operating in accordance with the rules, requirements and standards set forth by the authorities and regulating bodies. When organizations are in compliance with these standards, we tend to trust them more. And when they’re not, we don’t. USDA certifies our chicken as organic, FDIC regulates our banks accordingly and FDA certifies our prescription drugs as safe and cyber compliance like HIPAA inspire digital trust. Therefore, compliance serves a crucial function that helps those without domain or industry knowledge of a specific organization or entity, trust the validity of their products and services.
Here’s the problem, compliance can create a false sense of trust especially, if a check-the-box mindset is the driving motivation for compliance. Compliance with the CDC covid guidelines created a false sense of trust for some of us. We thought, we’re not going to get covid-19 because we’re in compliance with the rules. Well, as we now know, that’s not necessarily the case. We don’t have this false sense of trust in cases we’re knowledgable about. For example we know driving the speed limit doesn’t mean we trust that we can’t have an accident, especially on an icy road - think black ice! But for situations we are unfamiliar with or not knowledgable about, compliance can incorrectly serve as a proxy for trust. This can be particularly difficult to uncover with cyber compliance in the board room, where board directors, sometimes don’t have specific domain or industry knowledge.
Board directors sometimes are those that don’t have specific domain or industry knowledge and this is no different in the case of cyber compliance and specifically in the case of the SEC cyber rules. As a board director, if/when management/CEO presents information that says the organization is compliant with cyber regulation, we tend to trust it as we should. However, cyber compliance is not the same thing as security. Compliance regulation may be behind technology innovations and compliance can’t certify the ongoing commitment to doing the right thing.
As boards continue to provide oversight for cyber risks, this is an important insight to keep in mind. Organizations can be in compliance with cyber regulation standards and still be ill-prepared to respond effectively to data breaches. The bad guys have not packed up and gone home because our organizations are all compliant. Infact, the bad guys may attempt to use SEC compliance regulations to their advantage as in the case of MeridianLink
They bad actors wanted their victim to pay the ransom demanded so they reported the cyber incident to the SEC. Yes, you read that correctly. The cyber criminals reported the victim to the SEC thinking they were in violation of the SEC disclosure/notification rules. It’s easy to confuse cyber compliance with security. But they are not the same thing. Businesses are not immuned to material cyber incidents because they’re fulfilling cyber compliance regulation and standards. As we stated earlier, compliance is crucially important but boards need to remember that compliance is not necessarily the same thing as security or risk mitigation. It’s okay to trust but verify.
Trust but verify. Equifax was presumably compliant with PCI given the large volume of sensitive data
Equifax breach and Target data breach. Compliance is not a substitute for cyber risk oversight. In addition to compliance, we also need commitment for effective cyber risk oversight both at the management and the board levels. Why? Because compliance without commitment can have profound second order implications
Compliance Without Commitment
Compliance without commitment can have profound second-order implications.
Compliance without commitment can magnify or compound or amplify second-order implications.
Compliance without commitment can have compounded second-order implications.
There are several second-order implications associated with cyber compliance especially disclosure compliance rules such as the new SEC cyber rules. When companies comply with disclosure rules, it has implications for corporate culture, board oversight, talent and business strategy. These are second-order effects that aren’t directly related to the compliance rules yet can have compounding negative impacts, if commitment is missing.
Commitment in the context of cyber risks and cyber security means doing the “right” thing for relevant stakeholders when it comes to protecting their digital assets and mitigating cyber risks. This means having consistent, intentional and proactive measures for managing cyber risks. Commitment speaks to the underlying intent and motivation, the why behind the compliance effort and not just the what that needs to be done for compliance or the how.
It is essentially a shift in mindset to why and out of a single mindset flows a thousand different kinds of behaviors. Without this level of commitment, organizations may tend to focus on compliance as a proxy for cyber security and underestimate the second-order implications. This is particularly true for board directors who may not be well versed in cyber matters. In this section, we focus on board cyber risk oversight (as opposed to culture, talent and strategy) as a second-order implication of compliance with the SEC disclosure rules.
A good example of compliance without commitment is the case of Solarwinds. In compliance with the old SEC guidelines, the company filed a form 8-K with the SEC that disclosed a data breach of its systems. However, it was incomplete as it didn’t disclose that some of its customers had suffered downstream data breaches as a result of its own compromised systems. But even if it was,
The SEC filed a complaint against Solarwinds and its CISO
First order is that you have to file disclosure to be in compliance, you can’t just decide to be silent to the SEC and the public. For the new rules, organizations now have a clock ticking and a 4 day timer is activated after materiality is established.
First order implies that organization is actively working to contain, mitigate, remediate and recover from the data breach in a timely fashion. And that they care about the stakeholders. There’s an implied trust that accompanies compliance with the SEC disclosure rules. Or at least there should be. But without underlying commitment, that trust may prove to be false. Trust may be violated. Trust but verify
The second-order implication is that the board is aware of the actions of the organizations and is providing effective oversight of cyber risks and not just compliance. In other words, that the board is operating with a commitment and not just a compliance mindset. If this turns out not be the case, the negative effects of compliance with the disclosure rules become compounded and amplified. Example: Investors filed a law suit against directors as reported by Reuters.
Not here to debate the actions of Solarwinds but simply use this example to highlight the need for compliance with commitment. The question would still be asked, what did the board know, when did they know it and what did they do about it. A broader strategic question would ultimately be asked of the board, what did they do to intentionally and proactively provide cyber risk oversight. The disclosure and the contrary public statements of the CISO also begs the question what was the corporate culture. Even if the form-8K was completely truthful and accurate, the oversight question will still be posed
Solarwinds was in compliance with SEC filing requirements and actually filed a form 8-K on December 14 2020 that disclosed a cyber breach. The form 8-K was signed by the CEO and incomplete though. However, the company was not committed to the intent and spirit of the filing, investor trust in the organization and its cyber security practices. The SEC filed a complaint against the organization as well as the CISO, alleging that the company misled investors about its cyber risks and cyber security practice. An important element of the allegations was the form 8-K that was filed. This is before the SEC rule goes active in December 2023
From a board perspective, a SEC filing may signal good compliance with the requirements but without an intentional commitment to exercise good cyber oversight, it’s near impossible to proactively unearth these types of management failures and leadership gaps. It’s a challenging problem as board directors should typically have their noses in but fingers out of the organization’s operational management activities.
Transition to compliance with commitment offers a better strategic approach.
Compliance and Commitment (It’s Both)
Compliance and commitment offers a better strategic approach than compliance alone. (Greater story)
Transition to compliance with commitment offers a better strategic approach.
The question then becomes, how does the board begin to cultivate cyber commitment in the boardroom instead of just focusing on the SEC compliance regulations / cyber rules. Indeed, the SEC cyber rules may be viewed as gift that presents an opportunity for the board to intentionally elevate its commitment level to cyber security. There are three structural and foundational practices for boards to consider when thinking about their cyber commitment:
Align Cyber Mindset: Mindset influences behaviors and cyber commitment is reflected in the behaviors board directors engage in or demonstrated by the board. We heard one author put it this way “out of a single mindset flows a thousand different behaviors” Having a cyber mindset in the boardroom will influence the cyber commitment. Not an easy task. Trying to get everyone on the same page may prove to be a Herculean task. However if this isn’t achieved fully, then roadblocks tend to show up in board discussions when cyber-related actions and decisions must be made. But if most or all are aligned with the commitment mindset, then effectiveness increases
It’s like any other important initiative, if everyone aligns on the commitment mindset to go green, for example, then board discussions are more productive and progress is made. Same is true for cyber. It’s important to note that the board chair/lead independent director and/or other board leadership members play a vital role in aligning mindsets and must themselves model the cyber commitment mindset. The following three elements capture the mindset shifts that the board chair should inspire and model:
Compliance is not necessarily the same thing as cyber security or the brand’s digital trust.
Cyber is a strategic asset for the business - Profit lever and not just cost center
Cyber risk is business risk. It’s not an IT thing but an enterprise-wide item. Risk should be evaluated across the entire value chain including supply chain
Identify and Assess Current Board Commitment: We are yet to find a board director that will say they’re not committed to cyber security. Most will say they are committed to it and that it is important. Some may say they don’t have expertise and don’t feel confident that management can respond effectively. But, few if any, will say they’re not committed.
Yet board actions tell a different story. Most boards get cyber updates only once a year, spend about 20 minutes (based on our own experience) on cyber at board meetings. Few directors engage with their cyber chiefs to develop a relationship with them. Most boards prioritize other topics above cyber on board agendas. These actions don’t reflect commitment. But it’s difficult to see this when you’re in it. It’s easier to be objective about another board’s cyber commitment than it is about your own board.
This is why it’s important to identify and assess current board commitment. An independent assessment is ideal but even a cyber commitment self-assessment by board directors can be more effective than none. We offer the following essential components for conducting a board cyber commitment assessment:
Cyber Time - in the boardroom, board meeting agenda, board structure - committees, processes, board retreats, board orientation and on-boarding.
Cyber Expertise - continuous learning, experience and expertise in digital and cyber, skills and wills,
Customer Trust - brand reputation and digital trust with customers and other relevant stakeholders
Board Culture - hearing bad news and psychological safety
Cyber Relationships - building trusted internal and external relationships with cyber professionals.
Commitment levels for each of the above components should be calibrated in accordance with current and future business needs. In other words, the more critical digital is to your business the more increased commitment should be considered.
Define and Implement Required Changes: An assessment may find that you are at the right level of commitment for the business. But if there are gaps identified, then it may be beneficial to generate potential solution options and implement them. Below, we provide some solution options to consider for the more common findings for a board cyber commitment assessment:
Board Leadership - Strategic Options
Compliance without commitment to intent can have unintended or unexpected consequences. (Greater story illustration)
In the movie Greater, Brandon Burlsworth gained about 85 pounds in one year to be in compliance with his coach’s weight requirement so he could get on the football team at University of Arkansas. The coach had told him he wasn’t big enough and needed to be 300 pounds to play in the offensive line.
And although Brandon was in compliance with the requirement, he was unclear about the intent behind it and had gained mostly fat instead of muscle. That was not the coach’s intent. Compliance resulted in unexpected or unintended consequences when he showed up at the weigh in and was laughed at when he took his shirt off. His compliance actually exposed his lack of deeper understanding of the requirement.
Like Brandon, organizations that focus on the SEC compliance without commitment to the underlying intent may expose gaps in oversight at the board level as well as incompetencies or lack of deeper understanding of good cyber practices.
Board Leadership - Strategic Options
Conclusion - Text and contact/call to action
Residency approach that leverages board committees intentionally designed to build expertise for board directors through operational and experiential elements
The U.S. Securities and Exchange Commission (SEC) has adopted a new cyber rule for publicly traded companies. The new rule provides additional reasons for boards of directors to care about effective cyber risk oversight. The SEC rule has begun to formally shape the fundamental expectations and requirements of what effective board oversight of cyber risk looks like. The SEC disclosure rule comprises the following cyber risk dimensions:
