IT AUDIT & SECURITY
SEC Proposed Rule Could Add Cybersecurity to the Boardroom
Julia Muccini, IT Compliance Analyst – OCD Tech
7 April 2022
On March 9th, 2022, the Security and Exchange Commission (SEC) issued several proposed amendments that could have a substantial impact on businesses. One of the more surprising amendments is Amend Item 407(j) of Regulation S-K: “require disclosure about if any member of the registrant’s Board of directors has cybersecurity experience.”
This would require businesses to disclose on annual reports, annual meeting proxy statements and information statements on Schedule 14C if any of their Board members have previous cybersecurity experience including the names of any such director(s) and any details necessary to fully describe their expertise. While the amendment does not specifically state what would qualify as “cybersecurity experience,” it does give some examples, such as prior work experience, certifications, degrees related to cybersecurity or other background in cybersecurity. The SEC notes that companies could respond to this proposed rule by adding a Board member or staff to their management team with cybersecurity experience, although it would not be required. This addition could provide the Board with more oversight and help them identify and manage cybersecurity risks. Having a member with cybersecurity experience could also help persuade the other Board members to allocate more resources to cybersecurity, including devising, implementing and improving their policies and procedures. Another idea the SEC gives is for companies to hire a Chief Information Security Officer (CISO) to help manage cybersecurity, although again this exact title would not be required. It should be noted that if this proposed rule is adopted, it would only affect public companies. However, it’s important that higher education institutions adopt similar methods.
While this may seem like an unusual disclosure, businesses, including higher education institutions, are always at risk of cyber incidents and data breaches. Ransomware attacks have crippled colleges and universities over the last several years. The Association of Governing Boards of Universities and Colleges (AGB), which is the premier organization advocating strategic Board leadership in higher education, came to the same conclusion as the SEC. The AGB released a guidance report in November 2021 stating that higher education governing Boards should stay updated on rising cybersecurity threats and fund efforts to address them. The AGB provided five guiding principles that a Board should embrace in order to oversee their cyber-risk portfolio, along the same lines as the SEC proposed rule:
1. Board members need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.
2. Board members should understand the legal implications of cyber risks as they relate to an institution’s specific circumstances.
3. Board members should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on Board meeting agendas.
4. Board members should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-administration discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.
Using these principles as a framework with a Board member with cybersecurity experience would go a long way in helping higher education institutions deal with ongoing attacks and ransomware. Larry Clinton, President of the Internet Security Alliance (who helped the AGB author the report) concluded: “Digitization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk. Governing Boards play a critical role in shaping the overall vision and strategy for their organizations and in setting a tone of security.” The Board of Trustees (or Board members) play a critical role in higher education because they are often the ones who approve budgets and staffing so they need to see cybersecurity as a crucial business matter. Cybersecurity should be involved in every business decision the Board makes.
It’s also important to note that the Board member with cybersecurity experience would not be liable if there were to be a breach or security incident. The amendment proposes a “safe harbor” for the member so that they would not have any duties, obligations, or liabilities that are greater than those of any other Board member. The member would also not be deemed an expert for any purposes including, for purposes of Section 11 of the Securities Act. The goal for this amendment is simply to increase Board oversight of cybersecurity as well as having the Board member with cybersecurity experience work with the rest of the Board to make business decisions with cybersecurity in mind.
The comment period for the Proposed Rules will remain open for 60 days following publication of the proposed release on the SEC’s website or 30 days following publication of the proposed release in the Federal Register, whichever period is longer. Although the Proposed Rules may change before the final rules are published, public companies and higher education institutions would be wise to start reviewing and addressing any concerns between their own cybersecurity policies and procedures and the ones currently being proposed.
Some organizations may not have the in-house cybersecurity expertise to fulfill the requirement of this Proposed Rule. To hire a full-time CISO, it may run organizations upwards of six figures to pay a proper salary. For organizations looking to meet this requirement and strengthen the posture of their cybersecurity program, hiring a virtual CISO (vCISO) may be advantageous. For a fraction of the price, organizations can outsource the CISO function to a third-party expert. OCD Tech offers these vCISO services and is ready to help your organization both check the box and advise on other cyber goals and initiatives organizations might have.
For the full SEC Proposed Rule, click here.