I wrote a blog almost exactly one year ago that outlined the years of regulatory attempts to increase cybersecurity by requiring disclosures of risk factors, strengthening Board oversight and various legislation related to cyber security. It’s time for another look.
In December 2017, the Wall Street Journal published a blog on cybersecurity and the Board entitled “Cybersecurity Oversight Remains a Challenge for Board Directors”1 and stating that “many directors say they are ill-informed about cybersecurity and unsatisfied with the security information they receive from management.”
A little later in December 2017, Black Book reported the following results of a survey of more than 300 “strategic decision makers” in U.S. healthcare organizations: 2
- 84% of provider organizations lack a reliable enterprise leader for cybersecurity; only 11% plan to get a cybersecurity officer in 2018
- Only 31% of payers said they have an established manager for cybersecurity programs currently, with 44 percent planning to recruit a candidate in 2018.
- 89% of respondents reported that in 2018 budgeted IT funds are dedicated toward primarily business and only a small fraction is being allocated to cybersecurity
- 92% of C-suite executives said cybersecurity is still not a major talking point with their boards
Akin Gump published an executive summary of the TOP 10 TOPICS FOR DIRECTORS IN 2018 with the number 1 topic being Cybersecurity threats, citing warnings from SEC Co-Directors of Enforcement Stephanie Avakian and Steven Peikin: “The greatest threat to our markets right now is the cyber threat. No crisis should go to waste. Boards should learn from others’ misfortunes and focus on governance, crisis management and recommended best practices relating to cyber issues.” 3
On February 21, 2018, the SEC released revised cybersecurity guidance for publicly traded companies. 4 Among other things, the guidance requires a company to disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. 5 The Commission has previously said that “disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.”6 A company must include a description of how the board administers its risk oversight function.7 To the extent cybersecurity risks are material to a company’s business, “we believe this discussion should include the nature of the board’s role in overseeing the management of that risk.”
Adding “we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”
What’s a Board member to do? The only way anyone can understand and prioritize weaknesses in a cybersecurity program is to conduct a bonafide OCR-quality risk analysis. Until one knows all the threats to information assets, the vulnerabilities of where that information exists and the strength of the controls that are currently in place to protect that information, one cannot prioritize risk response activities. It can, and needs to be, explained in English. Ask your CEO to provide an overview of the most recent risk analysis findings and the priorities that are being addressed in the 2018 budget…that should be very revealing.
IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST
March 31, 2017
BY MARY A. CHAPUT
Reporting risk factors started in earnest in 2005 when the SEC introduced a new section in annual 10-K reports for organizations to discuss the “most significant factors that make the company speculative or risky.” Specifically, publicly traded companies were required to include qualitative disclosures of risk factors and to update that information quarterly with changes. 8
There was criticism of these requirements, mostly centered around the qualitative nature of the disclosures and the inability to estimate the financial impact on performance. Since there were no requirements to quantify the likelihood of any disclosed risk, the risk factors that were ultimately disclosed included all possible risks rather than those specific or relevant to the organization, making the information useless to investors.9
In 2010, because of these criticisms, the SEC revised its guidelines to instruct firms to clearly state the risk and specify how the particular risk affects the organization. Specifically, companies should not present risks that could apply to any issuer or any offering.10
Oversight and governance of risk management was also becoming of interest to investors. In December 2009, the SEC approved rules to enhance information provided to shareholders so they might better evaluate corporate oversight and governance in regards to the extent of the Board’s role in the risk oversight of the company.11
The term “cyber security” was formalized in public filings in October 2011. Following two years of increased cyber-attacks that resulted in significant costs and reputational damage diminishing customer or investor confidence, 12 the SEC released guidance for organizations to provide specific disclosures of (i) their cyber security risks; (ii) the frequency and severity of prior cyber incidents; (iii) the possibility of reoccurrence; and (iv) the potential magnitude of cyber incidents. There was significant push back on this guidance by organizations that were fearful of publicly revealing cyber vulnerabilities that could be exploited by malicious outsiders.
In June 2014, in a speech at the Cyber Risks and the Boardroom Conference entitled the Role of the Board of Directors in Overseeing Cyber-Risk Management13, SEC Commissioner Luis A. Aguilar warned of the “severe impact” that cyber-attacks could have on the capital markets, public companies and investors. Highlighting the responsibility of the Board of Directors, he elaborated on the lack of technical expertise on many boards to evaluate management’s actions to address cybersecurity issues.
His recommendations included the conduct of a NIST-based cybersecurity assessment and the hiring of “appropriate personnel to carry out effective cyber-risk management while providing regular reports to the Board” citing several survey findings that suggested that currently wasn’t the case.
In October 2015, the New York Stock Exchange released a cybersecurity guide for public companies which included topics such as board obligations, hiring Chief Information Security Officers, incident action plans and response.14
On December 17, 2015, the Cybersecurity Disclosure Act of 2015 was referred to Committee15 by a bipartisan Congressional group to promote transparency in the oversight of cybersecurity risks by requiring the disclosure of those Board members with information technology security expertise or, alternatively, activities underway to recruit such members.16
On February 16, 2017, New York State Governor Andrew M. Governor announced “first-in-the-nation cybersecurity regulation”17 to take effect on March 1st . The legislation, in process since 2014, is aimed at protecting consumers and the financial services industry from the increasing cyber-attacks. Banks, insurance companies and other financial services organizations will be required to “establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”18
Requiring a risk-based approach, the regulation encourages “keeping pace with technological advances” while complying with minimum standards.
On March 7, 2017, Senators Mark Warner (D) of Virginia, Jack Reed (D) of Rhode Island, and Susan Collins(R) of Maine introduced a similar bill to promote transparency in the oversight of cybersecurity risks at publicly traded companies.19 Entitled “Cybersecurity Disclosure Act of 2017,” the bill would require publicly traded companies to describe in their filings whether any members of their boards of directors have cybersecurity expertise, and if not, why not. In other words, if not, then to describe what other cybersecurity steps were taken into account when identifying and evaluation nominees for the board.
In defining what expertise was expected, the bill defers to NIST Special Publication 800-181 entitled NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework which outlines “professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats, using commonly defined roles, specialties, knowledge, skills, and abilities.”
The National Association of Corporate Directors, in their 2016-2017 NACD Public Company Governance Survey, highlighted that “59% of respondents reported that they find it challenging to oversee cyber risk, and only 19 percent of respondents said that their boards possess a high level of knowledge about cybersecurity.” 20
The bill sponsors pointed to the YAHOO breach in 2014 which compromised 500 million user accounts and reported in their 10-K that investigators into the breach “found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident. The independent committee also found that the audit and finance committee and the full board were not adequately informed of the full severity, risks and potential impacts of the 2014 security incident and related matters."21
The bill has been referred to the Senate Banking, Housing and Urban Affairs Committee on which both Warner and Reed serve.22
5 17 CFR 229.407(h); 17 CFR 240.14a-101 – Schedule 14A.
6 Final Rule: Proxy Disclosure Enhancements, Release No. 33-9089 (Dec. 16, 2009) [74 FR 68334 (Dec. 23, 2009)], available at http://www.sec.gov/rules/final/2009/33-9089.pdf.
7 See Item 407(h) of Regulation S-K [17 CFR 229.407(h)].
8 Regulation S-K, Item 305©, SEC 2005
9 Risk Disclosure in SEC Corporate Filings; http://repository.upenn.edu/cgi/viewcontent.cgi?article=1088&context=wharton_research_scholars
10 17 CFR 229.503(c).
11 SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance; https://www.sec.gov/news/press/2009/2009-268.htm
13 Board of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus; https://www.sec.gov/News/Speech/Detail/Speech/1370542057946
14 NYSE releases a cybersecurity guide for public companies http://www.marketwatch.com/story/nyse-releases-acybersecurity-guide-for-public-companies-2015-10-14?rss=1
15 S. 2410: Cybersecurity Disclosure Act of 2015; https://www.govtrack.us/congress/bills/114/s2410
16 Coercing Companies to Name Security-Savvy Directors
http://www.govinfosecurity.com/coercing-companies-toname-security-savvy-directors-a-8831?rf=2016-01-28- eg&mkt_tok=3RkMMJWWfF9wsRonuajMcu%2FhmjTEU5z17OotUKCwlMI%2F0ER3fOvrPUfGjI4ATctgMK%2BTFAwT G5toziV8R7DALc16wtwQWRLl
17 “Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions from Cyber-Attacks to Take Effect”; https://www.governor.ny.gov/news/governor-cuomo-announcesfirst-nation-cybersecurity-regulation-protecting-consumers-and
19 115th Congress – 1 st SESSION; S.536 https://www.congress.gov/115/bills/s536/BILLS-115s536is.pdf
20 NACD survey Press Release; https://www.nacdonline.org/AboutUs/PressRelease.cfm?ItemNumber=37891
21 Bill Would Compel Firms to Say if CyberSec Expert Sits On Board”, Eric Chabrow,
http://www.govinfosecurity.com/bill-would-compel-firms-to-say-if-cybersec-expert-sits-on-board-a-9776?rf=2017- 03- 20_ENEWS_SUB_GIS_Slot1&mkt_tok=eyJpIjoiWTJWak56TmtNalF5WW1KayIsInQiOiJIRWc0NCtMcVJWQjJodkdxQ1