SEC’s Cybersecurity Regulations, Part III: The Relationship Between the CISO & The Board

Policy & Regulations

BitSight + Glass Lewis
Written by Jake Olcott & Nicole Matusek October 30, 2023

Cybersecurity is a top risk for corporate directors to understand and navigate. The implications of cyber events for a company are many and growing: instantly damaged reputations that erode years of credibility and trust with customers and investors, impaired profitability from customer attrition and increased operating costs, lost intellectual property, fines and litigation, and harm to a company’s people and culture.

Consequences for companies can be significant. Cybersecurity incidents may result in material impact for shareholders. With the new U.S. SEC cybersecurity rules going into effect, investor awareness is on the rise. According to Cheryl Gustitus, Chief Strategy Officer at Glass Lewis, “investors will be looking even more closely at companies’ risk management, strategy, and governance practices on this critically important issue.”

How can security leaders help their boards perform effective cybersecurity oversight? According to a recent survey of U.S. directors, improving cybersecurity and data privacy is one of the top priorities for boards in 2023 and 2024. At the same time, 38% of directors identify cyber risk and data security as the issue most challenging to fulfilling their oversight responsibilities. 47% are engaging in director education programs to prepare for proposed regulatory requirements surrounding cybersecurity disclosures.

A strong, collaborative, and informed relationship between the Chief Information Security Officer (CISO) and the Board of Directors is essential for maintaining a robust cybersecurity program and ensuring that cybersecurity is integrated into the organization's corporate governance.

Steps to Improving the CISO/Board Relationship and Driving Effective Cybersecurity Governance

The relationship between the CISO and the Board of Directors is crucial in driving an effective cybersecurity program and overall corporate governance. This relationship should be characterized by communication, collaboration, and mutual understanding.

Here's a description of the key elements that should exist in this relationship:

  • Regular Communication: The CISO should maintain open and regular communication with the Board. This includes providing updates on the organization's cybersecurity posture, emerging threats, and the status of ongoing security initiatives. The frequency of communication may vary, but quarterly or semi-annual presentations are common.
     
  • Educational Engagement: The CISO should provide or help facilitate educational sessions to the Board to ensure that the directors have a fundamental understanding of cybersecurity risks, the potential impact on the organization, and the measures being taken to mitigate these risks. This education can be particularly important because many board members may not have a technical background.
     
  • Risk Reporting: The CISO should present cybersecurity risks in the context of business risks. This helps the Board understand how cybersecurity vulnerabilities can impact the organization's reputation, financial stability, and compliance with regulations. Risk assessments, metrics, and key performance indicators (KPIs) should be used to illustrate the potential impact.
     
  • Alignment with Business Goals: The CISO should align the cybersecurity strategy with the organization's overall business objectives. This ensures that security measures support, rather than hinder, the company's growth and strategic initiatives.
     
  • Cybersecurity Governance Framework: Establish a cybersecurity governance framework that outlines the roles and responsibilities of the CISO, management, and the Board. This framework should define how cybersecurity decisions are made, who approves cybersecurity budgets, and how incident response plans are activated.
     
  • Budget and Resource Allocation: The Board should be actively involved in approving cybersecurity budgets and resource allocations. They need to understand the financial requirements of maintaining effective cybersecurity and ensure that the necessary resources are available. CISOs should be able to justify current and new spend with metrics and outcomes, not by resorting to fear tactics.
     
  • Incident Response Planning: The CISO should work closely with the Board to develop and regularly test incident response plans. Boards should be active participants in tabletop exercises. In the event of a security incident, the Board should be aware of the roles they play in managing and overseeing the response.
     
  • Regulatory Compliance: The CISO should keep the Board informed about evolving cybersecurity regulations and ensure the organization remains in compliance. This includes discussing potential legal and financial implications of non-compliance.
     
  • Vendor and Third-Party Risk Management: The CISO should have a strategic and operational approach to managing and reducing risks associated with third-party vendors and service providers. The Board should be aware of these risks and aware of how the organization is addressing and reducing risk from these partners.
     
  • Cybersecurity Culture and Awareness: Promote a cybersecurity culture throughout the organization. The Board should set an example by participating in security training and awareness programs, emphasizing the importance of security from the top down. The Board should consider adopting metrics to hold management accountable for cybersecurity performance.
     
  • Transparency and Accountability: Both the CISO and the Board should hold each other accountable. The CISO should be transparent about the organization's security posture, and the Board should provide guidance and support.
     
  • Continuous Improvement: The relationship should be characterized by a commitment to continuous improvement. Regularly assess the effectiveness of the cybersecurity program, learn from incidents and mistakes, and adjust strategies as necessary.

What Cybersecurity Questions Should Boards be Asking?

Boards play a crucial role in ensuring an organization's cybersecurity strategy is effective and aligned with its business objectives. The board’s role is to oversee the CISO’s activities in creating and maintaining a successful cybersecurity program.

To fulfill this responsibility, they need to ask a series of key questions. These inquiries cover a wide range of aspects, from executive accountability for cyber risk to measuring the value of cybersecurity investments, benchmarking performance against industry peers, identifying the most significant cyber risk scenarios, or assessing the adequacy of cyber insurance:

These are some of the most common questions:

  • Which executive(s) are responsible for cyber risk, and how often are the executive committee and the board being briefed on cybersecurity? Is there clear accountability linked to performance objectives?
     
  • What measurements does the company use to determine whether our investments in cybersecurity are reducing our risk in a cost-effective manner? Are we clear on spend and value for money?
     
  • Has management benchmarked the cybersecurity program performance against industry peers? If not, why not? If so, how do we measure up?
     
  • Which cyber risk scenarios pose the greatest risk to our business? Are we more exposed to ransomware or data breach?
     
  • Do we have a cyber insurance policy in place? If not, why? If so, with whom, how much, and have the premium and coverage terms changed recently? Do we understand the exclusions and whether we have coverage that will pay if an incident occurs? (If unclear, then you may be self-insuring.)
     
  • Do we have a cyber insurance policy in place? If not, why? If so, with whom, how much, and have the premium and coverage terms changed recently? Do we understand the exclusions and whether we have coverage that will pay if an incident occurs? (If unclear, then you may be self-insuring.)
     
  • Do we have a comprehensive vendor cyber risk management program that includes cyber reviews during the vendor/supplier onboarding process? Do we have a handle on who is accessing our systems and data?
     
  • Are we communicating our cybersecurity performance to critical external stakeholders, including investors, insurers and business partners? If so, what are they being told?
     
  • Have we quantified our cyber risk in financial terms (and under what scenarios) so that we can make informed decisions about risk mitigation and risk transfer? What are we getting for our money?
     
  • Have we tested our preparedness by using cyber tabletop exercises? At what point during a cybersecurity incident would the board be engaged? Is there a “break glass” communication plan?
     
  • How have we adjusted our plan to attract and retain cyber talent to keep up with the market?
     
  • When launching new business initiatives (including M&A), how is cyber considered?

Putting it all together

As boards confront the risks and increased focus on cybersecurity, there are specific actions directors can take to protect themselves and their companies:

  • Assign board committee risk oversight responsibility guided by subject matter experts. Responsibility for cybersecurity oversight should be allocated to the current board committee charged with general risk oversight. Risk management experience and continuing education are crucial for managing cyber risk; companies should hire senior personnel with cybersecurity expertise who retain primary responsibility and regularly report to the board.
     
  • Engage third-party partners to measure status and progress. These trusted third parties —including data providers and consultants that report to the board —should conduct periodic assessments (e.g., penetration tests) and benchmark against comparable companies and best-in-class measures. Leveraging quantitative data is critical to obtain independent, objective analysis.
     
  • Stay abreast of disclosure rules and shareholder expectations. Review with counsel the latest SEC regulations to proactively address new information that may be required.
     
  • Track key metrics. Identify metrics for the board to regularly evaluate the risk profile of the business, key assets that require protection, the adequacy and effectiveness of existing security controls, and best practices to limit and mitigate cyber risk associated with strategic plans. Discuss regularly at the board level.
     
  • Practice incident response and have concrete plans. Finalize time-sensitive policies on business recovery and continuity (even cyber ransom), and conduct “fire drills” (including a “break glass” plan) with the board to prepare for time-sensitive situations.

Cybersecurity risk is now a mainstay of corporate risk management and director responsibilities. Persistence and vigilance, alongside the right software solutions, education, preparedness and transparency, are key to ensure a holistic program of cyber protection and resilience is in place.

How Glass Lewis Can Help

Glass Lewis integrates Bitsight’s Executive Report in their Proxy Papers, which features the company’s overall Bitsight Security Rating peer analytics, the organization’s performance over the last 12 months, the likelihood of ransomware incidents, the likelihood of data breach incidents, and any publicly disclosed incidents in the last 18 months. The report is designed for a non-technical audience to be leveraged by Investor Relations, Board members, and CISOs to provide insight to their investors on their cybersecurity posture.