What We Do

Cyber Risk: What Does Effective Board Oversight Look Like?

In May of 2022, a board director (let’s call him John) of an organization requested that a cyber risk audit be included as part of the proposed technology audit that originated from the board’s special committee on technology. Little did he know what the findings would be or the value they would have for the organization. By the end of the year, the findings revealed that if the organization was hit by a data breach where sensitive data was stolen, they wouldn’t know about it.

The CEO was shocked to learn this especially since she was told that they had the right security capabilities in place but she quickly worked to begin the process of elevating the cyber security posture of the organization and fortunately, established a cyber risk strategy moving forward.

The board director and the special committee exercised good and effective cyber oversight in this case. What if you and your board could exercise similar effectiveness with the same success.

For public companies, the SEC is looking to encourage (i.e. mandate) this type of effective oversight through the new cyber rules effective September 5th 2023

Include SEC Cyber Rule summary here

Imagine what would have happened if a data breach occurred and there was no proactive detection in place. The organization would be knee deep in crisis management mode dealing with business disruption, financial impact, headlines, PR, legal, customers, suppliers. To be sure, a data breach can still happen but the detection and response is more effective now than it would have been without the right cyber risk oversight and cyber capabilities.

The boards special committee was effective in this case but that’s not always the case. Think Uber example and other non-cyber fraud/risk instances have happened also. Think Theranos board.

The SEC is trying to change the story for cyber risk within public companies, from an Uber to a John’s board. They’re continuing to change the story for themselves also. They’re trying to be proactive to help avoid cyber risk impacts unlike the old SEC of the Harry Markopolis and Bennie Madoff ponzi scheme

So what if your board could effect positive change and outcome of cyber risk oversight

Imagine having a special committee for a set duration to tackle the new SEC rule as well as give directors relevant applied experience in cyber risk oversight and some domain knowledge and expertise. Imaging having a board residency approach to help your organization with this effort.

========================================================

The U.S. Securities and Exchange Commission (SEC) has adopted a new cyber rule for publicly traded companies. The new rule provides additional reasons for boards to care about effective cyber risk oversight. The SEC rule has begun to formally shape the fundamental expectations and requirements of what effective board oversight of cyber risk looks like. The SEC disclosure rule comprises the following cyber risk dimensions:

Cyber Risk Governance - Companies are now required to:

1. Describe the board of directors’ oversight of cyber risk

2. Describe the processes employed by the board to stay informed about cyber risks

3. Describe management’s role in oversight of cyber risk

- the board’s oversight of risks from cybersecurity threats,” and, if applicable, “identify any board committee or subcommittee responsible” for such oversight “and describe the processes by which the board or such committee is informed about such risks.

Cyber Risk Management & Strategy - Companies are now required to:

1. Describe processes for managing, assessing and identifying cyber risks

2. Describe if/how cybersecurity processes have been integrated into overall risk management system or processes

3. Describe whether assessors, consultants, auditors or other third-parties are engaged with any such processes. In other words, in-house vs outsourced cybersecurity capacity

4. Describe processes for identifying material cyber risks from its third-party service provider(s)

The enumerated elements that a registrant should address in its Item 106(b) disclosure, as applicable, are: 227 See Item 105 of Regulation S-K. 63 •

Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes; •

Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and •

Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.

We have also revised the rule text to clarify that the above elements compose a non-exclusive list of disclosures; registrants should additionally disclose whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.

Cyber Risk Management & Strategy

Material Cyber Incidents Disclosures

Incident Disclosure - Companies are now required to:

1. Describe material nature, scope and timing of incident

2. Describe the impact or reasonably likely impact

3. Filed within four business days of establishing materiality

4. FCC and Safe harbor provisions for law enforcement

1) the scope of disclosure; and (2) the timing of disclosure

First, we are narrowing the amount of information required to be disclosed, to better balance investors’ needs and registrants’ cybersecurity posture. And second, we are providing for a delay for disclosures that would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General, who may take into consideration other Federal or other law enforcement agencies’ findings. As described above, commenters’ criticisms of Item 1.05 generally arose from two aspects of the proposal: (1) the scope of disclosure; and (2) the timing of disclosure

What does board oversight of cyber risk mean

Who on the board can provide this oversight effectively?

Principal Challenge

Strategic Options

Recommendation: Board Action and Timing

What Boards Can Do

1. Who on the board can provide this oversight effectively?

2. Define board’s oversight strategy and how they provide oversight of cyber risks in a deliberate and formal way

3. Board oversight strategy options

4. Execute the oversight strategy

Hawthorne Effect: Behavior changes when it is observed.

https://hbr.org/2017/03/when-clinicians-know-theyre-being-watched-patients-fare-better

Sample template of board oversight

board meetings / agenda

Committees and charters

Cyber Talent and Priorities

Current State: Most organizations current state is what? Depending on the size of your organization and the maturity of your cyber risk management capabilities, the SEC rule will require a different level of effort and preparedness.

Timing of Rule: Within 6 months.

Strategic Challenge: There are other elements of the rule but we’re focusing on the governance element specifically as it relates to the board of directors. This is a strategic challenge, that if addressed properly, can drive solutions for all other related challenges for management and executive officers. Ultimately, this will provide increased transparency to investors and other stakeholders. So what is the challenge that boards have to overcome? Why is this a challenge?

• Define board’s oversight strategy and how they provide oversight of cyber risks in a deliberate and formal way

• Execute on the strategy

• Describe oversight strategy annually to SEC on form 10K

Why Do You Care: SEC fines, brand reputation, breach impact and business disruption, stakeholder interests including employees

Inside The Boardroom: Story - cyber risks from third party, cyber insurance, cyber PSA The

Suggestions for Oversight Strategy

Sample scorecard to assess your readiness.