Recently, there has been increasing pressure on cybersecurity governance from governments, regulators, and independent organizations, resulting in increased focus on the board's fiduciary responsibility, not just on objective safeguards, which is the primary task of management. It imposes highly prescriptive requirements that also mandate highly subjective and intangible governance standards. of directors. Although meeting objective requirements is tedious, time-consuming, and costly, the process is simple. However, they cannot respond to increasing international pressure to comply with subjective and intangible standards related to governance.
put the issue in perspective
These new demands are testing and challenging board governance and management's ability to address cybersecurity. The stakes are high. Failure to meet these requirements may result in adverse financial consequences, including loss of market value, inability to access certain markets, financial penalties, as well as legal and enforcement actions against management and board members. There is a possibility. Here are three examples of how this trend is playing out.
Example 1: Securities and Exchange Commission (SEC) Cybersecurity Incident Disclosure Rules
In the United States, the SEC took enforcement action against a registrant for disclosing incidents that were inconsistent with internal processes. Additionally, recent SEC rules require registrants to disclose the qualitative and quantitative effects of material incidents, including the impact on financial condition and operations.
Materiality tests include not only financial and operating results, but also reputational damage. According to Forbes, early disclosure under the new rules has drawn criticism that registrants are failing to meet these requirements by not fully disclosing the qualitative and quantitative impact on their businesses. .
The SEC, key stakeholders, and investors may wonder how a company can determine materiality without qualitatively and quantitatively estimating its impact.
Example 2: New York State Department of Financial Services (NYDFS) Cyber Requirements
NYDFS recently issued highly prescriptive regulations and minimum requirements for financial services firms licensed to operate in New York. These include annual certification of critical compliance by both the CEO and Chief Information Security Officer.
NYDFS provides management with assurances that the board has oversight of cybersecurity, that it has a “sufficient understanding” to do so, and that it has a “sufficient understanding” to implement and maintain an effective cybersecurity program. We are asking them to prove that they are allocating sufficient resources.
Despite the fact that management is not responsible for governance and therefore is not in a position to certify it, boards must ask themselves how to comply with this requirement. Questions include:
- How can boards develop a “sufficient understanding” of cybersecurity and provide oversight?
- How does the board allocate funding for cybersecurity?
NYDFS may impose fines for violations. Like the SEC, the NYDFS is also pushing to close gaps in cybersecurity governance.
Example 3: Australia's 'Governance Through Cyber Crisis' Guidelines
Another example of regulatory pressure on board governance has occurred in Australia, which recently published 62 pages of prescriptive guidance on cybersecurity oversight for boards.
This guidance does not yet have legal force. However, similar to the EU General Data Protection Regulation (GDPR), it has signaled that changes are coming to Australian privacy laws that impose normative requirements and financial penalties for non-compliance.
Latest regulatory requirements impacting cyber governance: NIS2
Perhaps the most powerful regulatory directive creating pressure to close the cybersecurity governance gap comes from the European Union, which recently updated its Network and Information Security Directive (NIS2). The goal is to achieve a “high common level of cybersecurity” across the EU.
NIS2 takes effect in October 2024 and targets critical infrastructure entities that provide essential and critical services. This applies to both EU legal entities and his companies operating within the EU. Article 20 of this Regulation requires the governing bodies of essential and important organizations (i.e., the executive management and the board of directors) to:
“…approve cybersecurity risk management measures taken by these organizations to comply with Article 21, supervise their implementation, and may be held accountable for breaches…”
In addition, the executive management and board of directors are as follows:
“…Following training to enable employees to acquire sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact on the services they provide, and… “You are required to provide similar training to your employees on a regular basis.'' ”
How will boards and executives be trained? NIS2 provides significant penalties for non-compliance.
Similar normative governance provisions can be found in the EU Digital Operational Resilience Act (DORA), which deals with information and communication technology resilience for financial services entities.
The implications of prescriptive directives from NIS2, DORA, SEC, and others are clear and require boards to increase their oversight. Governments and regulators are requiring boards of directors and executives to engage in cybersecurity training and education with their employees to equip them with the knowledge and skills to fulfill their governance responsibilities. The regulatory message is that failure to do so may result in insufficient oversight, resulting in non-compliance penalties and legal risks for officers and directors.
put it together
These evolving global cybersecurity normative requirements are changing the standards that boards must meet to meet their legal duty of care obligations. Pressure from governments and regulators is increasing, especially as cybersecurity incidents continue and evolving AI implementations pose new digital risks.
Boards can begin their journey to improve cybersecurity and digital risk governance by taking the following steps:
- organization: Review and evaluate your organization's effectiveness as it relates to monitoring digital risks. Reorganize and refresh management reports, policies, and procedures as needed.
- education: Undertake a continuing education program across the organization, starting with the board of directors, to develop the organizational judgment needed to assess threats to complex digital systems. To manage a system, you need to know how it works.
- culture: Emphasize that responsibility for digital risk governance is shared across the organization.
Digital risk governance is a board responsibility and cannot be delegated to management. These evolving standards will require significantly increased board involvement and a recognition that there is no “tick-box” solution to digital risk oversight.
