Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?
A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close to cyber, it will reach them anyway — at least according to a potential new SEC rule. What should security leaders do?
Cyber knowledge gap
A recent CyberEdBoard report said, “Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board.”
That might be a generalization as tech savviness increasingly makes its way into the upper ranks of business. However, when only a fraction of CISOs report to CEOs, it raises questions about how companies prioritize security issues.
Meanwhile, the federal government is increasingly concerned about the impact of cyberattacks, for example, on critical infrastructure and government agencies. And the feds are taking action to enforce compliance.
SEC enforcement moves forward
In 2022, the SEC nearly doubled the size of the Enforcement Division’s Cyber and Crypto Assets Unit. Since then, the unit has initiated enforcement proceedings against SEC-regulated entities due to insufficient cybersecurity controls and inadequate disclosure concerning cyber risks and incidents.
Over the past two years, SEC enforcement has resulted in charges, fines and settlements. Some of the biggest financial entities in the world have had to pay penalties ranging from $425,000 up to $35 million.
Are public company regulations next?
Now, the SEC’s proposed Rule 10 would specifically require all public companies to report material cybersecurity incidents on Form 8-K. Rule 10 would also mandate periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures — and the board of directors’ cybersecurity expertise, if any.
The board should get on board with cyber
Although some board members might still be reluctant to address security issues head-on, education is the key. Some easy-to-grasp parameters should be presented, like the global average cost of a data breach reaching $4.45 million. Or tell them about the $35 million SEC fines.
Security leaders should also compile data about the real-world risk — and damage — that cyber presents to their company. How many attacks did you detect last year? How many breaches? What were the estimated costs? What measures are needed to minimize further incidents and what would be the investment needed?
These are simple concepts that any business-minded person can get their head around. Armed with this type of information, board members could converse intelligently with any regulatory agency.
It would be unreasonable to ask board members to become cyber experts, but they can be guided to understand the associated business risks and benefits. Additionally, cyber executives should have a seat in the C-suite — or at least direct access to the CEO.
Give the board terms they understand
As per Marco Túlio Moraes, CISO and expert board advisor at CyberEdBoard, security officers need to learn to speak in financial terms.
For example, can you explain the total loss exposure for your cyber risk portfolio in quantitative financial terms? This can help everyone grasp the size of the issue to drive the strategy. Healthcare, for instance, has a risk portfolio with an average loss exposure of $5.5 million, given a probable annual likelihood of 9% and an average loss of $40 million. Is this something your board can accept?
Once these numbers are clearly outlined, risk appetite and tolerance can be defined given constraints such as budget, staff, time and other resource limitations. From there, an informed discussion about strategic cybersecurity can happen, including investments, responsibilities and expected results.