{"id":6823,"date":"2023-07-27T02:10:17","date_gmt":"2023-07-27T02:10:17","guid":{"rendered":"https:\/\/mysourcefunding.com\/leadership\/the-sec-let-the-boardroom-off-the-hook-on-cybersecurity-turns-up-heat-on-cisos-and-ceos\/"},"modified":"2023-07-27T02:10:18","modified_gmt":"2023-07-27T02:10:18","slug":"the-sec-let-the-boardroom-off-the-hook-on-cybersecurity-turns-up-heat-on-cisos-and-ceos","status":"publish","type":"post","link":"https:\/\/mysourcefunding.com\/?p=6823","title":{"rendered":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs"},"content":{"rendered":"<div>\n<p>The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some respects, the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability&#8230;for now.<\/p>\n<p>The SEC had proposed a rule that boards should disclose if they have a director with cyber expertise, by name and with regard to the nature of that expertise. This proposal would not have been a requirement to add director cyber expertise to the boardroom, just bring transparency to the abilities of corporate directors to govern this complex area. Indirectly this would have had the effect of taking this leading practice and making it an important regulatory advocated boardroom policy, i.e., adding directors to the boardroom with this skillset.<\/p>\n<p>However CISOs did not get the regulatory support for an experienced advocate and teammate in the boardroom, and they\u2019ll be forced to continue to largely go it alone \u2014 meaning the CISO\u2019s job difficulty and accountability just went up. CISOs should continue to advocate for board reform in this area, and choose their jobs wisely. A boardroom without directors who have cyber expertise should be a warning sign for a CISO. Notably however, many boards are already adding and disclosing cyber experience and expertise on their boards and not waiting on regulators to define leading practices \u2014 as regulators are notorious lagging indicators.<\/p>\n<p>The SEC also turned up the heat on management teams and their understanding of how complex digital business systems create value by adding an incident disclosure requirement now triggered by incident impact and its <em>materiality<\/em>. Previous disclosure guidance was based upon incident discovery as the trigger date. This disclosure was narrowed in scope in two ways, to focus disclosure on impact not the nature of the incident to avoid providing valuable information to attackers and by adding a disclosure delay if an incident is in the interest of national security or public safety.<\/p>\n<p>This final provision now imparts significantly greater responsibility and accountability on management teams to understand the linkages between cybersecurity, their information systems and value in the eyes of a <em>reasonable investor<\/em>. Notably, the proposal for status updates on remediation or whether data were compromised was not adopted. Data is now a component consideration in the overall materiality analysis. Remaining in the final rules is the disclosure of cybersecurity incidents for third-party systems that companies use, putting a very challenging systemic risk disclosure consideration and requirement in place for the first time. Systemic cyber risk is a new dimension in enterprise risk very prevalent in complex digital business systems, and third-party risk is just one aspect of this issue.<\/p>\n<p><fbs-ad position=\"inread\" progressive=\"\" ad-id=\"article-0-inread\" aria-hidden=\"true\" role=\"presentation\"><\/fbs-ad><\/p>\n<p>A lengthy discussion of the definition of a cybersecurity incident also occurred on the SEC Open Meeting webinar between several of the SEC Commissioners. Defined as an <em>unauthorized <\/em>occurrence this would mean that risks which exist and are realized inherently from within the system, would not need to be disclosed. A failure of a critical part of a complex digital business system not caused by an attacker, would presumedly not meet this definition and not need to be disclosed. If a large SaaS vendor had an outage for example which impaired their revenue and impacted hundreds of thousands of users creating significant liabilities, this would not meet this definition. This is likely a shortcoming in the understanding of the true nature of cyber risks by regulators and the nature of complex digital systems.<\/p>\n<p>Additionally, disclosure rules were passed that will increase transparency and accountability of managements\u2019s processes for assessing, identifying, and managing material risks by requiring a description of them. The final rules retain a disclosure requirement around the use of third-party experts in cybersecurity to drive more transparency to in-house versus outsourced capabilities as a useful piece of information for investors.<\/p>\n<p>Now that there are some rules in place from the SEC, the role of investors in cybersecurity governance reform will also begin to take on new meaning. As investors increasingly interact with boards on these issues, will they begin to exert more influence and drive reform to who on the board they will be interacting with? Will they be advocates for further digital innovation and cybersecurity governance reform and will they bring cyber expertise to the table. Will board\u2019s recognize that they need to counter this expertise with boardroom cyber expertise of their own?<\/p>\n<p>The SEC did not leave the boardroom entirely out of the final rules, although notably they did remove their proposed requirement of requiring disclosure of how the board integrates cybersecurity into its business strategy, risk management and financial oversight. It did leave in risk communications in how the board is informed of cyber risks and disclosure of committee responsibility for cybersecurity along with a general requirement around the board\u2019s oversight of risks from cybersecurity threats. While this should generally mature the boardroom\u2019s system of cybersecurity governance, as a system, it leaves some glaring holes which will impair the effectiveness of the overall system. However, leading boards are already moving well beyond these regulations.<\/p>\n<p>Overall, the SEC Final Rules were soft on boardroom accountability, but hardened the requirement for management to understand the impacts of the digital business system to investor interests and their materiality. In the words of DDN Advisory Board Member Fay Feeney, \u201cWhat they\u2019ve done is put a foundation in place, where there was none before.\u201d What\u2019s built upon that foundation remains largely up to the self-regulatory initiatives of individual corporate boards.<\/p>\n<p>While the SEC did not really step up to the boardroom leadership moment on cybersecurity governance at the same level that leading boardroom practices already are, it should be noted that the cyber expertise part of cybersecurity and board reform is not likely over. Several SEC Commissioner\u2019s inferred as much on the call and in particular gave a shout out to the leadership of Sen. Jack Reed in championing board reform on this subject. Sen. Reed is the sponsor of S. 808 Cybersecurity Disclosure Act of 2021 which would force the SEC to issue final rules on the issue of boardroom cyber expertise. This Act, or a carbon copy of it has been proposed both in the House and Senate over at least that last three sessions of Congress.<\/p>\n<p>If lawmakers aren&#8217;t giving up on director cyber expertise, leading boards should continue to set these standards and view the SEC\u2019s Final Rules as the first steps on an important journey.<\/p>\n<\/div>\n<p>Read the full article <a href=\"https:\/\/www.forbes.com\/sites\/bobzukis\/2023\/07\/26\/the-sec-let-the-boardroom-off-the-hook-on-cybersecurity-turns-up-heat-on-cisos-and-ceos\/\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some respects, the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability&#8230;for now. The SEC had proposed a rule that boards should disclose if they have a director with cyber [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6824,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[76],"tags":[],"class_list":{"0":"post-6823","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-leadership"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary<\/title>\n<meta name=\"description\" content=\"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mysourcefunding.com\/?p=6823\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary\" \/>\n<meta property=\"og:description\" content=\"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mysourcefunding.com\/?p=6823\" \/>\n<meta property=\"og:site_name\" content=\"Brandiary\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-27T02:10:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-27T02:10:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/07\/1690423818_0x0.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"676\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"News Room\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"News Room\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823#article\",\"isPartOf\":{\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823\"},\"author\":{\"name\":\"News Room\",\"@id\":\"https:\/\/mysourcefunding.com\/#\/schema\/person\/5062dafb0f932b59aa228f1a047332f4\"},\"headline\":\"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs\",\"datePublished\":\"2023-07-27T02:10:17+00:00\",\"dateModified\":\"2023-07-27T02:10:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823\"},\"wordCount\":1102,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/mysourcefunding.com\/#organization\"},\"articleSection\":[\"Leadership\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/mysourcefunding.com\/?p=6823#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823\",\"url\":\"https:\/\/mysourcefunding.com\/?p=6823\",\"name\":\"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary\",\"isPartOf\":{\"@id\":\"https:\/\/mysourcefunding.com\/#website\"},\"datePublished\":\"2023-07-27T02:10:17+00:00\",\"dateModified\":\"2023-07-27T02:10:18+00:00\",\"description\":\"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some\",\"breadcrumb\":{\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/mysourcefunding.com\/?p=6823\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/mysourcefunding.com\/?p=6823#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/mysourcefunding.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mysourcefunding.com\/#website\",\"url\":\"https:\/\/mysourcefunding.com\/\",\"name\":\"Brandiary\",\"description\":\"Latest Business and Startup News and Updates\",\"publisher\":{\"@id\":\"https:\/\/mysourcefunding.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mysourcefunding.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/mysourcefunding.com\/#organization\",\"name\":\"Brandiary\",\"url\":\"https:\/\/mysourcefunding.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mysourcefunding.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/b-logo-1.png\",\"contentUrl\":\"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/b-logo-1.png\",\"width\":381,\"height\":100,\"caption\":\"Brandiary\"},\"image\":{\"@id\":\"https:\/\/mysourcefunding.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/mysourcefunding.com\/#\/schema\/person\/5062dafb0f932b59aa228f1a047332f4\",\"name\":\"News Room\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mysourcefunding.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/avatar_user_1_1688031660-96x96.png\",\"contentUrl\":\"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/avatar_user_1_1688031660-96x96.png\",\"caption\":\"News Room\"},\"sameAs\":[\"https:\/\/mysourcefunding.com\"],\"url\":\"https:\/\/mysourcefunding.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary","description":"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mysourcefunding.com\/?p=6823","og_locale":"en_US","og_type":"article","og_title":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary","og_description":"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some","og_url":"https:\/\/mysourcefunding.com\/?p=6823","og_site_name":"Brandiary","article_published_time":"2023-07-27T02:10:17+00:00","article_modified_time":"2023-07-27T02:10:18+00:00","og_image":[{"width":1200,"height":676,"url":"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/07\/1690423818_0x0.jpg","type":"image\/jpeg"}],"author":"News Room","twitter_card":"summary_large_image","twitter_misc":{"Written by":"News Room","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mysourcefunding.com\/?p=6823#article","isPartOf":{"@id":"https:\/\/mysourcefunding.com\/?p=6823"},"author":{"name":"News Room","@id":"https:\/\/mysourcefunding.com\/#\/schema\/person\/5062dafb0f932b59aa228f1a047332f4"},"headline":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs","datePublished":"2023-07-27T02:10:17+00:00","dateModified":"2023-07-27T02:10:18+00:00","mainEntityOfPage":{"@id":"https:\/\/mysourcefunding.com\/?p=6823"},"wordCount":1102,"commentCount":0,"publisher":{"@id":"https:\/\/mysourcefunding.com\/#organization"},"articleSection":["Leadership"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/mysourcefunding.com\/?p=6823#respond"]}]},{"@type":"WebPage","@id":"https:\/\/mysourcefunding.com\/?p=6823","url":"https:\/\/mysourcefunding.com\/?p=6823","name":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs | Brandiary","isPartOf":{"@id":"https:\/\/mysourcefunding.com\/#website"},"datePublished":"2023-07-27T02:10:17+00:00","dateModified":"2023-07-27T02:10:18+00:00","description":"The SEC just released long awaited final rules on their cybersecurity risk management, strategy and governance proposals. While transformational in some","breadcrumb":{"@id":"https:\/\/mysourcefunding.com\/?p=6823#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mysourcefunding.com\/?p=6823"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/mysourcefunding.com\/?p=6823#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/mysourcefunding.com\/"},{"@type":"ListItem","position":2,"name":"The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs"}]},{"@type":"WebSite","@id":"https:\/\/mysourcefunding.com\/#website","url":"https:\/\/mysourcefunding.com\/","name":"Brandiary","description":"Latest Business and Startup News and Updates","publisher":{"@id":"https:\/\/mysourcefunding.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mysourcefunding.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/mysourcefunding.com\/#organization","name":"Brandiary","url":"https:\/\/mysourcefunding.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mysourcefunding.com\/#\/schema\/logo\/image\/","url":"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/b-logo-1.png","contentUrl":"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/b-logo-1.png","width":381,"height":100,"caption":"Brandiary"},"image":{"@id":"https:\/\/mysourcefunding.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/mysourcefunding.com\/#\/schema\/person\/5062dafb0f932b59aa228f1a047332f4","name":"News Room","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mysourcefunding.com\/#\/schema\/person\/image\/","url":"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/avatar_user_1_1688031660-96x96.png","contentUrl":"https:\/\/mysourcefunding.com\/wp-content\/uploads\/2023\/06\/avatar_user_1_1688031660-96x96.png","caption":"News Room"},"sameAs":["https:\/\/mysourcefunding.com"],"url":"https:\/\/mysourcefunding.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/posts\/6823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6823"}],"version-history":[{"count":1,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/posts\/6823\/revisions"}],"predecessor-version":[{"id":6825,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/posts\/6823\/revisions\/6825"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=\/wp\/v2\/media\/6824"}],"wp:attachment":[{"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mysourcefunding.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}