Environmental, social, and governance (ESG) considerations are hardly new topics when it comes to compliance reporting for financial services firms, but the impact of cybersecurity breaches on the governance component soon will gain a much higher profile for financial and non-financial organizations alike. Whether addressing privacy issues, the financial losses of ransomware, or business continuity from a governance perspective, cyber threats are putting ESG discussions at the forefront of board meetings and C-suite discussions around the globe.
The reporting changes US companies face could expand significantly due to recent rule modifications from the Securities and Exchange Commission's Chairman Gary Gensler. Cybersecurity governance reporting requirements similar to those for auditing and financial reporting found in the Sarbanes-Oxley Act of 2002 (SOX) would be a key component of the new regulations.
SOX governance requirements focus on helping protect investors from fraudulent financial reporting by corporations, while cybersecurity governance is designed to improve reporting on new and past cyberbreaches. Existing corporate governance, risk, and compliance (GRC) policies and procedures will not be sufficient to address these rules.
Alla Valente, a senior analyst at Forrester, characterizes the proposed SEC regulation modifications as "Sarbanes-Oxley light." The proposed rules state that companies need to report material cybersecurity incidents within four days of identification, she notes. The problem is that "material" is not defined and varies by industry, so companies are left guessing when the clock starts to report incidents. This could lead to both over-reporting and under-reporting of cyber incidents, she says.
Pressure Drives Cybersecurity Measures
Complying with the proposed rules also could have a direct impact on an enterprise's ability to obtain cyber insurance, Valente notes. Despite the current chaos in the cyber insurance market that is driving prices up and coverage down while cyber insurers reduce inventory, these rule changes potentially can further increase pressure on companies to implement cybersecurity controls that they otherwise might not have instituted at this time. It also would require far more information on past breaches and how they are being managed and mitigated.
"Management's new role in reporting and cyber governance, and the boards' new responsibility to shed light on their expertise and oversight, will drive extra scrutiny on enterprise security programs," says Jason Hicks, field CISO at the cybersecurity consulting firm Coalfire.
"This puts the CISO on the hot seat," he continues. "It's also likely to drive boards to try and add executives with cybersecurity experience to their team. Given the small number of qualified people available, I could also see boards hiring their own consultants to advise them on cybersecurity risk and the adequacy of the company's security program.
"All of these areas will need to be factored into the governance portion of your ESG approach," Hicks adds. "Management is already responsible for managing cybersecurity risk, so this is not creating an entirely new class of responsibility, although it is making several changes to the burden and complexity."
Transnationals Take Initiative
Hicks notes that the way organizations view transparency and the cultural norms of a company's operating environments can play into how they respond. "The multinationals need to balance their approach given the different approaches globally."
Valente agrees. Europeans tend to be more proactive in defending against data breaches than American companies. The rules change could force domestic organizations to be more proactive, particularly when it comes to third-party risk management, a key security control.
"Once this becomes final, we will see an effort to be proactive. Some [organizations] will follow the letter of the law, and might be successful in the short term, but marginally," Valente says. "Others will follow the spirit of the law and use that as a means to improve, diversify, and make that proactive [third-party] risk management part of who they are. It'll be ingrained in their corporate DNA. Those are the organizations that are really going to thrive from this."
Companies Can Get Started
Steven Yadegari, CEO of the investment consulting firm FiSolve and former general counsel at the money manager Cramer Rosenthal McGlynn, says board members will look for specific reporting on cybersecurity. This will include quarterly reports focused on cybersecurity and meetings with individuals charged with oversight of the area, such as the CISO, leading the effort.
"The new rules would require formal risk assessments, specific controls, monitoring measures, and a reporting system of incidents. To the extent some of these areas are not addressed in existing programs, boards will want to understand how managers intend to comply with these potential requirements. Those conversations should be underway and should not wait for adoption of new rules," Yadegari says.
Many companies today are more carefully managing their vendors and overseeing their policies and procedures, he notes. This is particularly true of third-party service providers and suppliers that might have contact with an enterprise's sensitive information.
"It behooves companies to ensure they have a robust cybersecurity program and third-party risk management (TPRM) program, which will in turn provide comfort to companies who rely on their services," Yadegari says.
While the final language of the proposed SEC rule changes has yet to be made public, the proposed language can be found here.