Amidst the shifting balance of cybersecurity risks, it is becoming more important than ever for the Chief Information Security Officers (CISOs) to navigate the emerging trends that have recently emerged on the horizon with potentially wide ranging ripple effects for governance and risk management.
This blog post briefly recaps these trends and then outlines key takeaways for CISOs, including the considerations for reducing the cybersecurity liability for themselves and their organizations, and meeting their potential obligations.
A Quick Recap
The Security and Exchange Commission (SEC) rules have called for disclosure by companies of material cybersecurity risks. The rules mandate public companies to disclose material cybersecurity incidents within four business days and provide annual disclosures on risk management and governance related to cybersecurity threats. And the recent SEC charges brought against Solar Winds have alarmed the industry with CISOs facing the potential of personal liability.
The CISA's Secure by Design proposal advocates for incorporating cybersecurity at the initial design stages of products and services, aiming for inherent security. And finally, the National Cybersecurity Strategy issued by the Office of National Cyber Director (ONCD) proposes holding software makers liable for insecure products, aiming to align economic incentives with security outcomes and reduce the risk of breaches.
The potential liability for lack of cybersecurity maturity and governance for not only the organization but also the CISOs is a game-changer for cybersecurity risk management. Which is why CISOs need to be carefully examining their obligations and understanding how best to meet them.
These trends have significant implications for CISOs, as well as the legal counsels and risk advisors assisting them with compliance. Here are some key takeaways:
- Materiality is Key
In comparison with existing requirements under laws like HIPAA or GDPR, the SEC evaluates cybersecurity incidents based on a materiality standard - whether the information would significantly impact investor decisions. Materiality analysis doesn't require risk quantification (FAIR model), but rather reasonable assessments of risk, taking into account, among others, the financial, reputational and operational impact. Existing security frameworks such as NYDFS 500.9 and CFR Cybersecurity Regulations CFR Part 314.4 include assessment of material security threats that may be helpful in the SEC materiality analysis.
- Disclosures Must Be Timely and Accurate
The SEC charged SolarWinds for inadequate disclosures despite claiming NIST NSF compliance. The case signals increased accountability for accuracy in cybersecurity reporting. CISOs should carefully work with the legal counsel and risk advisors to ensure that they are disclosing material gaps and provide timely, comprehensive disclosures consistent with their security posture.
- Privilege and Liability Protection is Critical
The SEC rules, as well as the proposals by CISA and ONCD, may leave companies open to shareholder lawsuits if disclosures do not match security postures, as well as CISOs open to personal liability. CISOs should work closely with their legal counsel and risk advisors to help protect privilege and limit liability by working carefully with the legal counsel to handle reports to the board. D&O and cyber insurance policies should be reviewed for potential gaps in coverage.
- Understand Interplay with Cyber Insurance
SEC disclosure rules actually dove tails with cyber insurance underwriting. If the company’s posture doesn’t match up with what it disclosed to the SEC, then not only the SEC but the insurance company and/or the shareholders can also have a case against the company for misrepresentation. On the other hand, any organization that has obtained cyber insurance commensurate with its risk exposure would have already done some level of risk quantification, and would have known the financial harm should certain assets get compromised, which in turn helps with SEC disclosure requirement. Good cyber hygiene required for good coverage also earns immunity protection under the National Cybersecurity Strategy issued by ONCD.
- Board Oversight is Crucial
Though boards need not become experts, CISOs together with their legal counsels and risk advisors can guide them in monitoring controls and accessing cybersecurity expertise through educational programs. Cybersecurity should become a regular board meeting agenda item.
6. Benchmark Your Security
Reference existing cybersecurity frameworks like NIST when reviewing your own maturity and regulatory expectations for "reasonable security." CISOs should map programs to authoritative benchmarks and address any gaps.
- Emphasize Cybersecurity Governance
CISO should activate cybersecurity incident response teams within their organizations, as well as develop collaborative cross-departmental governance policies/programs per legal requirements. They should ensure proper upward reporting procedures are in place.
By providing proactive guidance on cybersecurity risk management, disclosure processes, insurance coverage, and board oversight, CISOs working with the legal counsel and risk advisors play a key role in positioning their companies to comply with the SEC's new rules as well as the proposals by CISA and ONCD. For CISOs, taking appropriate measures will limit liability risks in the face of increased regulatory scrutiny and help them improve their cybersecurity maturity and meet these requirements.
Connect with us
If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.