Neil Simon is executive vice president of Resolute Strategic Services, a cybersecurity incident response and reputation management firm. Views are the author’s own.
The Security and Exchange Commission’s release of cybersecurity reporting rules in late July is likely interrupting summer reading plans for many, but it’s also giving corporate counselors and risk managers a chance to build longstanding best practices into their board operations.
The most widely reported requirements are a four-day deadline for reporting a material incident and periodic reporting of cybersecurity governance practices.
These requirements should inspire corporate boards to pick their risk plans off the shelf more often and run them through a tabletop, test them and make revisions.
And the rule’s requirement that cybersecurity policies be tailored to the entity's nature and scope of business could prevent firms from doing wholesale copy-paste jobs from the NIST templates and pretending they’re a good fit for their sector.
Through our work with clients, we’ve seen the damage and reputational loss that can come from the lack of mature incident response and recovery procedures.
But there’s another provision in the rules that has the potential to be key to your organization’s preparedness: that firms demonstrate they have cybersecurity expertise on their board.
Based on best practices we’ve learned from our work helping organizations, the most forward-thinking business leaders will embrace this cybersecurity expertise not as a regulatory obligation but as a strategic imperative to safeguard the company.
Executives that view cyber risks through a lens of compliance only risk failing to make their institutions more secure.
At Resolute, we work with some of the largest insurers and law firms to help clients before, during and after significant cyber incidents.
We’ve seen first-hand the damage and reputational loss that comes immediately from clients that lack mature incident response and recovery procedures.
With the SEC now requiring firms to report the process they have in place to assess cybersecurity threats and how their board of directors oversees cybersecurity threats, there is hope that more firms will strengthen those processes.
The challenge to business leaders is to avoid rushing when creating these procedures that depend on a great deal of cross-functional input to be effective.
A few years ago, I helped create Gartner’s cybersecurity leadership academy curriculum and worked on collaborative fora with dozens of Fortune 500 CISOs and CIOs. Invariably two things would come up in these conversations: the challenge of communicating threats across the organization and to the board.
There has always been a gap in boardrooms concerning tech fluency and cybersecurity expertise. This hinders decision-making in the face of cybersecurity threats, but the default practice of up-leveling a CIO or CISO is not enough.
The new rules will likely generate a flood of recruitment effort for unicorn-like talent who have the hard-skills to prevent and detect cybercrime and the soft-skills of business vision, leadership, and relationship building to be the new board members the SEC requires.
Those who look to appoint cyber experts to their board have an opportunity to do more than comply with new regulations through these appointments.
By allocating sufficient time for discussions on cyber risk and ensuring repeat exposure to cyber-related matters through tabletop exercises and other trainings, firms can seize this moment to build resilience into their firms.
For those who feel daunted by the demand to create or recreate incident response plans, the NIST Framework and CISA Cyber Essentials Starter Kit can jumpstart those efforts. They provide a structured approach to managing cybersecurity risks and incidents, ensuring that businesses have robust defenses in place.
By embracing these frameworks and seeking guidance from cybersecurity experts, your board can proactively enhance its cyber-risk management. Without these processes – and practicing using them – it will be that much harder to secure the enterprise and comply with the SEC’s shorter-term reporting requirements.
Closing the gap in cybersecurity expertise and communication within the boardroom will enable your organization to navigate the ever-evolving cyber threats successfully regardless the regulatory climate.
The time to act is now — investing in cybersecurity expertise on your board is an investment in the future security and prosperity of your business.