At a recent audit committee meeting we were briefed by our Big Four accounting firm on cyber risk. They referenced a two-page notification from the Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, on February 25, 2022, urging corporate directors to be mindful and prepared for cyber risks during the evolving Ukraine crisis. The communication from Director Easterly expresses heightened cyber risks emanating from Russian threat actors acting perhaps in retaliation against economic and other sanctions.
It’s highly unusual for a government agency (CISA) to reach out directly to corporate board members.
Additionally, on March 9th, 2022, the SEC issued a 129-page cyber regulation proposal: Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The new regulations pose questions to the board such as: Does the board have a cyber expert? What are their credentials and how was their expertise determined? How does the Board execute its oversight of cyber risks? Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?
Companies are also being asked: Do you have a Chief Information Security Officer? Where does that person report? What are their credentials? Embedded in these questions is a subtle determination of whether a CISO should report independently of the IT organization, perhaps analogous to the way internal audit functions generally don’t report within the finance organization.
What is particularly noteworthy is the brevity of the comment period – only 30 days – on wide-sweeping rules and requirements that will affect registrants and Corporate Directors alike, perhaps akin in its breadth to the Sarbanes-Oxley Act nearly twenty years ago (which had significant unforeseen burdens and costs for corporations).
Another noteworthy factor is that the proposed regulations would affect both small companies, as well as large multinationals. Given the fact that virtually all companies are connected by the internet and most supply chains include small dealers, distributors and manufacturers, it’s understandable the proposed regulations do not exclude companies based on size. We all recall hearing about how the breaches of larger companies often originate from their less vigilant or resource-challenged smaller companies that are part of their supply chain, or their distribution dealer and distributor network.
While the proposed regulation does not mandate which Board Committee should own cyber risk in its remit, that remains a topic for Boards to contemplate. There are pros and cons to consider, and some observe that the audit committee may be too overburdened as it is--do they have the time and expertise to oversee ever-growing cyber risks? Another consideration to be weighed by the Board is that audit committees already must observe heightened financial reporting deadlines.
There are specific proposed regulations that are complicated, if not concerning. For example, if there is a material cyber incident the company would have only four days in which to publicly disclose it upon determining that the incident was, indeed, material. Determining materiality involves both quantitative and qualitative evaluations; that process needs to be re-examined. Furthermore, the regulations require that any prior incident that doesn’t rise to the level of materiality may subsequently be deemed material when aggregated with other subsequent and similar cyber incidents. The process and protocols for this aggregation will require very thorough Board oversight and input.
There are also inferred questions: How cyber-ready is the board? Do you have external expert briefings for the board? External experts doing penetration testing? What kind of internal training are you overseeing within the company? Do the Directors have external courses and credentials they are expected to receive in order to stay current?
Another issue that speaks to the Board’s oversight is determining if there’s adequate insurance and planning in the event of a cyber breach. Is the company financially modeling cyber risks based on varying probabilities, from an ordinary event all the way to “Black Swan” scenarios?
As is widely reported, insurance companies are scaling back their coverage of ransomware attacks. The recent court case involving Merck’s cyber insurance claim arising from the impact of the NotPetya malware illustrates both the cyber risk (media reports damages of over $1B) and the difficulty in collecting on a policy claim. The Merck cyber insurance case remains in litigation, now nearly 5 years after the NotPetya attack.
In the new regulation, all companies are covered in the proposed SEC regulation, regardless of sector. Imagine a traditional manufacturing organization, like an iron smelting company, might wonder how this new regulation affects them. Media outlets are currently reporting that Russian mobs are breaching the reporting agents of companies right before earnings reports, and using that insider information to front run the stock market. A recent media report detailed an insider trading breach resulting in an estimated $80M in illegal trades on the public market.
With this broad sweeping set of regulations, but without clearly defined ways in which boards can satisfy the burden of the regulations, are we setting ourselves up for a flood of plaintiff litigation?
Of course, we need to do the right things as directors. Of course, we need to be cyber-ready. We need to take this seriously, which presumably directors already do. We are all diligent, engaged, highly committed stewards for all of our stakeholders. That said, we don’t need penalties, threats, huge bureaucratic regulatory burdens and an avalanche of plaintiff lawsuits.
The other take away is clearly we must all go on high alert as public company and private company directors and anticipate a serious threat of cyberattack on our companies. Things we should be doing:
- Cyber training for all employees.
- Increase our external third-party resources.
- Have an outside third-party cyber penetration testing firm review and do white and gray hat cyber exercises on your systems.
- Evaluate your back up systems (assuming that there may be serious attack of the cloud), as well as look at the level of your current cyber systems and consider upgrading your security and cyber software testing.
- Build a relationship with a cyber managed services provider who can do external monitoring to augment what you currently have in house.
There is a lot to consider in these unprecedented times, but I urge boards and companies to please consider commenting on the new SEC proposed regulation rapidly. I am sharing the link here, so your voices may be heard. SEC.gov | How to Submit Comments