Proposed Cyber Expertise Disclosure Rules Will Challenge Boards

Listen to article

The SEC’s proposal could affect public company approaches to strategy, talent and more.

In March 2022, the SEC proposed a set of rules that would require public companies to submit prescribed cybersecurity disclosures. The objective of the rules is to increase the ability of investors to judge public company cyber protocols and incident reporting. One segment of the SEC’s proposal – specifically, proposed new paragraph (j) of Item 407 of Regulation S-K – would require disclosure in annual reports, annual meeting proxy statements and information statements on Schedule 14C regarding whether any of a board’s members have cybersecurity expertise. The information required would include names of any such directors along with details that fully describe the nature of the director’s expertise. Mark Brown, global managing director, digital trust consulting, for cybersecurity consulting services provider BSI, discussed why the SEC’s proposal would be so challenging for public company boards if it is approved.

Directors & Boards: What do the SEC’s recently proposed rules on disclosure of director cybersecurity expertise include, and why might this be challenging for public company boards? 
Mark Brown: The proposed SEC rules on disclosure of cybersecurity expertise are designed to evidence to institutional investors, shareholders and investors alike that an organization has recognized the need to move beyond traditional approaches. The new rules, once implemented, will evidence that the organization has sought to readdress cybersecurity and transition from a technical focus to business corporate governance.  

Such a move will require a fundamental shift for public company boards for a number of reasons, the most prominent of which will be that there are so few business professionals at the level required to sit on a public company board with adequate experience covering both cybersecurity and business corporate governance. This is because the predominant focus of cybersecurity professionals has solely been on technology management and in the main, they lack experience in business management and do not speak the lingua franca of the boardroom: risk management.

DB: How are public companies changing the prioritization of their cybersecurity? Is it staying within the IT department, or is it becoming more of a broader business initiative? 
MB: The past decade has seen a changing set of priorities in how public companies are reprioritizing cybersecurity. Until the early 2010s, cybersecurity was seen solely as a technical topic and the remit of the CIO and CISO, neither of whom in many organizations were “true CXOs” with a seat at the top-tier table.  

With a multitude of high-profile breaches and the recognition of cybersecurity as an omnipresent business risk affecting core elements of business strategy and corporate governance, the roles and responsibilities for cybersecurity have changed. There remains, however, much work to be done, and many organizations have not yet fully grasped the strategic importance aligned to brand reputation of cybersecurity. 
 
Therefore, while a greater emphasis is being placed on the role of cybersecurity within organizations at a business layer, it remains problematic for organizations to align widespread understanding of the risks across the business value chain because of its technology bias.

DB: There can often be a disconnect between the technical aspects of business and financial sides of business. Can you describe that disconnect and how it occurs?
MB: The disconnect between the technical and financial considerations of cybersecurity are significant and have been an underlying root cause for many cybersecurity breaches for years. This is largely because the technologist struggles to explain in business value terms the risks, costs and benefits of investment in cybersecurity. Arguments like technology refresh or new product capability are not viable messages to the CFO and their team. Instead, messages that focus on risk protection value and business strategy enabling investment are more likely to be received positively. 
 
Similarly, the cybersecurity professional must be able to articulate a response for why additional investment is required when significant investments have already been made by organizations. Some members of the finance community may question investment decisions by stating, “Why is more investment in cybersecurity required when we have not had a breach since the last investment?” 

This kind of question evidences a lack of understanding within the finance community as to the continuous risk management needs of the business beyond a sense of compliance. Still, it is the responsibility of the technologist and cybersecurity professionals to articulate the continuing investment pathway need to the financial community if they are to be successful in receiving investment approvals.

DB: Communication can be tough between IT personnel and board members/management. What can both parties do to ensure that communication is optimal?
MB: Education by each to the other of the role played by the function within the business is key and requires both patience and a willingness to recognize shortcomings. Adopting a collaborative, non-combative approach is central to success and requires board members and executive management to take on the role of coaching and mentoring to IT and cybersecurity leadership. Making themselves available and providing such coaching is key, but will also allow an opportunity for the technologist receiving the coaching and mentoring to both ask and be asked questions.
  
This should both simplify the communication pathway and remove traditional barriers of broken communication, while also readying boards to better respond to the new regulatory challenges being faced in this arena.

DB: How important is transparency between IT and the board when an organization works to quell the impact of a cybersecurity incident?
MB: Aligned to the importance of coaching and mentoring between technology leaders and board members and executive management, transparency is essential if organizational and public confidence is to be retained when working to quell the impact of a cybersecurity incident. Transparency must be a focus in the avoidance of a blame culture, as while the incident may be down to individual error, adoption of a blame culture will create a subculture of fear and reluctance to collaborate cross-functionally. The key is to identify the reason for the incident and facilitate remediation.

When an organization works to quell a cybersecurity incident without fear of recrimination, instead operating collaboratively, the organization is more likely to be resilient in the face of adversity, return to normal business operations quicker and avoid significant institutional investor confidence erosion. 

DB: What’s the talent situation in the cybersecurity world, and what can boards and management do to make sure cyber talent is retained in a competitive marketplace?
MB: There is a recognized global talent shortage in cybersecurity. The industry has enjoyed 0% unemployment for over a decade, and globally there is assessed to be over 5 million job vacancies in cybersecurity, with ever-increasing levels of demand.

Businesses must also consider the “war for talent” and the impact of current global inflationary pressures. As businesses recognize the growing importance of cybersecurity within the digital society, coupled with existing inflation, there is significant pressure being placed on organizations to meet excessive salary demands. Indeed, it is now commonplace for cybersecurity professionals to be able to take a sideways move between organizations for a 20%-25% (or higher) pay raise. The economic supply and demand position is that drastic.

Boards and management teams must consider how best to develop an enhanced employee value proposition that meets the needs of both the business and the individual. Such employee value propositions should extend beyond traditional base salary remuneration and include considerations such as professional development (extending beyond technical qualifications to coaching and mentoring), flexible working, digital nomadship (the ability to work anytime, anyplace, anywhere), retention incentives and equity stakes for technology leadership. Failure to provide such a value proposition and total reward consideration will result in talent leaving for businesses willing to demonstrate such investment in people.

Other related article