The SEC has squarely placed the onus on corporate board members to take on greater cybersecurity oversight of the companies they serve. NIC Inc.’s Jayne Friedland Holland discusses board members’ roles now.
Following the heels of record-breaking cyber breaches in 2017, sensitive information found its way into cybercriminals’ hands in dozens of major attacks in 2018. Identity theft protection company IdentityForce has already reported on close to 100 breaches in 2019 affecting health care, online betting, government, retail organizations and more. The cybersecurity community generally agrees that worldwide cybercrime costs will double from $3 trillion annually in 2015 to $6 trillion by 2021.
The 2017 attack on Equifax, that year’s largest and most well-publicized breach, exposed 145.5 million Americans’ social security, credit card and driver’s license numbers. The event was surprising not only in its breadth, but also because Equifax executives knowingly continued trading stock for months before the company reported the breach.
The uptick in devastating cybersecurity incidents and the Securities and Exchange Commission’s concerns over reporting delays prompted the agency to issue interpretive guidance for public company disclosures of cybersecurity risks and incidents in February 2018. The guidance reinforces and expands on guidance published in 2011. It outlines how companies can evaluate which cybersecurity matters must be disclosed, gives direction on disclosure timing and sets forth steps a company can take to adequately understand its cybersecurity risk profile and disclosure obligations. It also addresses the importance of strong cybersecurity policies and procedures and insider trading prohibitions, additions that were not addressed in the prior guidance.
The guidance established new expectations for board members to take on greater oversight of a company’s cybersecurity efforts. This seems to indicate the SEC now places this duty on the same level as it does board requirements for governance of other enterprise risks.
Cybersecurity has become business-critical. To remain in step with the SEC’s guidance, corporate boards must move away from merely maintaining a general concern for cybersecurity. Instead, they must understand it as a core business issue for which their role now includes an obligation to quantify risk and identify actions to mitigate it.
Cybersecurity Oversight: Best Practices for Public Company Boards
The SEC’s 2018 guidance, while establishing greater cybersecurity requirements for corporate boards, does not specify an approach for corporate directors to follow. Simply put, the guidance issued represents general recommendations for boards to follow. To properly evaluate risk, work to mitigate breaches and be prepared to appropriately respond to a security incident, public company executives and corporate boards should consider a similar set of best practices:
1. Recognize the Critical Nature of Cybersecurity
Board members and C-level executives have responsibility for ensuring that cybersecurity is a key component of everything an organization does. The board can and should take the lead in focusing attention on “the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact,” as the SEC guidance states. Board members should be involved in evaluating security-related reporting structures, overall program adequacy and policies and procedures. The SEC also requires written disclosure of how the board administers its risk oversight function.
A public company should give its Chief Security Officer or someone in a similar position a seat at the executive table. Taking this step involves the CSO in every strategic discussion and decision the company makes, communicates the importance of security to the entire organization and helps ensure the security team plays a role in evaluating all the company’s risks and can provide input on secure product practices and other strategic endeavors.
In addition, separating the CSO and Chief Information or Chief Technology Officer reporting structure is important. With different chains of command, those responsible for developing services or maintaining systems have a checks-and-balances system in place.
2. Add Cybersecurity Expertise
Charged with oversight of complex and technical cybersecurity issues, directors should be informed enough to evaluate the company’s cyber risks as effectively as they would assess financial performance and corporate strategy. Board members, therefore, should consider whether one or more directors has sufficient expertise in these areas.
The bipartisan Cybersecurity Disclosure Act of 2019 (S.592), reintroduced last year, requires publicly traded companies to disclose board members’ data security or cybersecurity expertise. If no one on the board has those capabilities, the board must explain what steps it is taking to identify future board members who could contribute that knowledge. The bill has not yet passed, but given the SEC’s increased scrutiny of boards’ cyber-risk responsibilities, directors will likely be mandated at some point to populate their boards with individuals who have cybersecurity expertise. Public boards would be wise to consider that process now.
3. Establish a Formal Breach Response Protocol
Every company is vulnerable to a security breach, no matter what steps have been taken to prevent it. Even so, too few companies have formal and documented processes in place for addressing such an incident.
The company’s breach response process should be captured in a written plan that includes input from multiple departments. It should identify who will serve on the incident response team; each team member’s roles and responsibilities; how the company will report breaches to investors, the public and other stakeholders; and the disclosure timing.
A key component of the overall plan is a list of detailed action steps incident response team members should take. The action plan also should identify others in the company who need to be advised of or involved in the various steps and spells out the documentation or additional actions necessary throughout the investigation process.
For two reasons, the company should notify board members immediately if a breach occurs: This underscores the board’s commitment to engagement in and oversight of cybersecurity and helps ensure the company’s insider-trading policies will be followed.
The process also should identify how the company will access digital forensic expertise, either internally or through a third-party source, in the event of a breach. This resource will allow the company to quickly determine how the breach occurred and what information has been compromised. If payment card data has been exposed during a breach, the company is required to engage a third-party forensic company certified by the PCI Security Standards Council.
Board members should review the plan, and every individual who has a role in carrying out the plan should receive ongoing and continuous training that prepares him or her to respond confidently and effectively to a cybersecurity incident. The company should test and review the plan annually and modify when appropriate.
Further, almost all U.S. states have their own laws about what qualifies as a security breach and timing for disclosing such breaches. Companies that operate in multiple states must adhere to each state’s reporting requirements and build a process for meeting these requirements into their incident response plan.
4. Expect Regular Reporting and Testing
Corporate boards should receive regular reports from executives about the company’s cybersecurity risks, management review processes, overall health and readiness to respond to an incident. A best practice is quarterly reports from leadership and more frequent reporting if needed.
At least annually, company leadership should carry out incident response plan tabletop exercises. Board members should expect reports on these test outcomes, as well as details about how the plan will be updated based on what the tests may have revealed.
5. Establish a Disclosure Committee
It is advisable that publicly traded companies establish a disclosure committee that, among other things, is tasked with discussing cybersecurity risks or breaches and reviewing the accuracy, completeness and timeliness of financial reports or other public disclosures. Doing so provides a mechanism to elevate issues through the committee with the specific purpose of determining if a notification is triggered based on the nature and scope of a cyber incident.
Disclosure committee members and the finance department should review any new or ongoing cybersecurity investigations, determine the materiality of each incident under the SEC rules and decide if a disclosure is appropriate or required. This helps satisfy the SEC requirement that cyber incidents are being escalated for review and possible disclosure. The finance and security departments also should be involved in evaluating whether the issues being investigated may require restrictions on insider trading. Outside counsel can be helpful in making this determination if the disclosure committee is unsure whether the security issue meets the SEC’s materiality threshold and therefore requires disclosure in a public SEC filing.
Further, when the CSO is included at the executive table, he or she should report directly to the CEO for the purpose of escalating a review of security matters and reporting them to the board of directors on a quarterly basis.
Public companies are attractive targets for cybercriminals. Corporate boards, who are accountable to shareholders for a company’s health and financial performance, can expect growing scrutiny of their attention to cybersecurity, not only from the SEC, but also from legislators and the public. Directors must be diligent in helping companies evaluate risk so those companies are better prepared to address the daunting cybersecurity challenge.