Compliance - SEC Cyber Rules: Forward Thinking Perspective For The Board
Discover actionable strategies for enhancing stakeholder trust and for providing effective cyber risk oversight of the SEC Cyber rules.
As a parent, do you strap your kids into their car seat primarily because you don’t want to get a ticket or because you want to (not have to) keep them safe? The former focuses on compliance with the law and the latter, on commitment to caring. What does all of this have to do with compliance with the SEC cyber rules and its implications for board directors? Well, it illustrates two different perspectives that boards may choose to adopt in exercising cyber risk oversight - compliance and commitment.
This article is the first in the series of three articles that are designed to equip board directors with three distinct, meaningful and actionable insights outlined below:
Three distinct insights are:
Compliance is crucially important but it can produce a false sense of trust.
Compliance without commitment (to the underlying intent) can have compounded second-order implications.
Compliance and commitment offers a better strategic approach than compliance alone.
In this article, we focus on the first. The primary objective of this article is to help directors avoid the common pitfall of focusing on compliance (in this case SEC Cyber rules) and inadvertently neglecting the required commitment to the underlying intent and stakeholder trust. Ultimately, our hope is that these insights will inform intentional actions that will increase effectiveness of cyber risk oversight.
1. Compliance (SEC Cyber Rules)
Compliance is crucially important. Regulatory compliance standards offer meaningful benefits for business stakeholders. It tells us that companies are operating in accordance with the rules, requirements and standards set forth by the authorities and regulating bodies. When organizations are in compliance with these standards, we tend to trust them more. And when they’re not, we don’t. USDA certifies our chicken as organic, FDIC regulates our banks accordingly and FDA certifies our prescription drugs as safe and cyber compliance like HIPAA inspire digital trust. Therefore, compliance serves a crucial function that helps those without domain or industry knowledge of a specific organization or entity, trust the validity of their products and services.
Here’s the problem, compliance can create a false sense of trust especially, if a check-the-box mindset is the driving motivation for compliance. Compliance with the CDC covid guidelines created a false sense of trust for some of us. We thought, we’re not going to get covid-19 because we’re in compliance with the rules. Well, as we now know, that’s not necessarily the case. We don’t have this false sense of trust in cases we’re knowledgable about. For example we know driving the speed limit doesn’t mean we trust that we can’t have an accident, especially on an icy road - think black ice! But for situations we are unfamiliar with or not knowledgable about, compliance can incorrectly serve as a proxy for trust. This can be particularly difficult to uncover with cyber compliance in the board room, where board directors, sometimes don’t have specific domain or industry knowledge.
Board directors sometimes are those that don’t have specific domain or industry knowledge and this is no different in the case of cyber compliance and specifically in the case of the SEC cyber rules. As a board director, if/when management/CEO presents information that says the organization is compliant with cyber regulation, we tend to trust it as we should. However, cyber compliance is not the same thing as security. Compliance regulation may be behind technology innovations and compliance can’t certify the ongoing commitment to doing the right thing.
As boards continue to provide oversight for cyber risks, this is an important insight to keep in mind. Organizations can be in compliance with cyber regulation standards and still be ill-prepared to respond effectively to data breaches. The bad guys have not packed up and gone home because our organizations are all compliant. Infact, the bad guys may attempt to use SEC compliance regulations to their advantage as in the case of MeridianLink
They bad actors wanted their victim to pay the ransom demanded so they reported the cyber incident to the SEC. Yes, you read that correctly. The cyber criminals reported the victim to the SEC thinking they were in violation of the SEC disclosure/notification rules. It’s easy to confuse cyber compliance with security. But they are not the same thing. Businesses are not immuned to material cyber incidents because they’re fulfilling cyber compliance regulation and standards. As we stated earlier, compliance is crucially important but boards need to remember that compliance is not necessarily the same thing as security or risk mitigation. It’s okay to trust but verify.
Trust but verify. Equifax was presumably compliant with PCI given the large volume of sensitive data
Equifax breach and Target data breach. Compliance is not a substitute for cyber risk oversight. In addition to compliance, we also need commitment for effective cyber risk oversight both at the management and the board levels. Why? Because compliance without commitment can have profound second order implications
Effective Cyber Risk Oversight
Board directors ask us often “what should we be doing or thinking about to provide effective oversight in this area of cyber? What questions should we be asking and what responses should we be concerned about or probing more deeply into?” While we can’t provide specific questions and expected responses for every organization, we can offer some general questions to guide you in your efforts. Below are three principal questions that boards should ask themselves and management
What are the top 3 business impacts of material cyber incidents for the organization? Facilitate an engaging discussion about this.
Board directors ask us often “what should we be doing or thinking about to provide effective oversight in this area of cyber? What questions should we be asking and what responses should we be concerned about or probing more deeply into?” While we can’t provide specific questions and expected responses for every organization, we can offer some guiding questions. Below are three principal questions that boards should ask themselves and management
What are the top 3 business impacts of material cyber incidents for the organization? Facilitate an engaging discussion about this. Not just for the current business but also for the future business. It’s not enough to say that the business impact will be quantifiable financial losses (although that’s included) but it should include second and third-order consequences and implications. The idea here is to connect the dots for both the short and long term.
Are we making the right investments in cyber (time, treasure, talent, culture, leadership bench, etc.)
How can cyber security become a strategic asset for the organization now or in the future
The SEC cyber rules can serve as a catalyst for change in the boardroom. It can help directors adopt a more forward thinking perspective of cyber risk oversight and may offer hidden advantages for those organizations whose boards adopt this mindset. The questions above go beyond compliance to a commitment mindset. The board has to cultivate this mindset intentionally and proactively to increase their effectiveness. Directors and especially, the chair or lead independent director, can’t rely on accidental or reactive events to toss them back and forth based on compliance rules and/or data breaches.