In March of this year the SEC issued a proposed cyber security rule for public companies.
Among other things, this rule would require:
“…disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk…”.
In these times of nation state attacks on critical infrastructure, theft of intellectual property, ransomware attacks, etc., why wouldn’t any company (not just public companies) want cyber expertise on the board to manage cyber risk?
Board of Directors are required to manage risk. Cyber is just another form of risk, but it has been scraped of on the IT department for too long. The SECs proposed rule strikes at the heart of the matter: many companies are not prepared to manage cyber risk at the highest level. Forcing companies to disclose this inadequacy will hopefully drive neede-change as cyber risk is arguably the most urgent risk that most organizations currently face.
According to a recent HBR article on the subject, the boards role with regard to cyber is:
“To provide proper oversight and comply with the regulatory environment, board members are going to have to up their cybersecurity game. It’s no longer adequate to just hear about the protections put in place, or the results of the latest phishing exercise. Board members must take the position that cyber attacks are likely, and exercise their oversight role to ensure that executives and managers have made proper and appropriate preparations to respond and recover.”
Common sense tells you that you can’t manage risks that you don’t understand. Cyber risk management requires a specific skill set. A skill set that many companies don’t yet have at the board level.
The proposed rule stops short of requiring cyber security expertise on the board. However, imagine disclosing that you have little or no cyber expertise on your board. Further imagine disclosing that you’ve been breached in a public filing where you have also disclosed you have little to no cyber expertise on your board. Ouch!
Regardless of the proposed SEC rule, not having cyber risk management skill on your board reeks of negligence based on the current cyber-climate. Negligence - is that a risk you prefer to accept?
Among other things, this rule would require:
“…disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk…”.
In these times of nation state attacks on critical infrastructure, theft of intellectual property, ransomware attacks, etc., why wouldn’t any company (not just public companies) want cyber expertise on the board to manage cyber risk?
Board of Directors are required to manage risk. Cyber is just another form of risk, but it has been scraped of on the IT department for too long. The SECs proposed rule strikes at the heart of the matter: many companies are not prepared to manage cyber risk at the highest level. Forcing companies to disclose this inadequacy will hopefully drive neede-change as cyber risk is arguably the most urgent risk that most organizations currently face.
According to a recent HBR article on the subject, the boards role with regard to cyber is:
“To provide proper oversight and comply with the regulatory environment, board members are going to have to up their cybersecurity game. It’s no longer adequate to just hear about the protections put in place, or the results of the latest phishing exercise. Board members must take the position that cyber attacks are likely, and exercise their oversight role to ensure that executives and managers have made proper and appropriate preparations to respond and recover.”
Common sense tells you that you can’t manage risks that you don’t understand. Cyber risk management requires a specific skill set. A skill set that many companies don’t yet have at the board level.
The proposed rule stops short of requiring cyber security expertise on the board. However, imagine disclosing that you have little or no cyber expertise on your board. Further imagine disclosing that you’ve been breached in a public filing where you have also disclosed you have little to no cyber expertise on your board. Ouch!
Regardless of the proposed SEC rule, not having cyber risk management skill on your board reeks of negligence based on the current cyber-climate. Negligence - is that a risk you prefer to accept?