SEC Proposal to Put Cybersecurity in the Boardroom
The topics of “cybersecurity” and “digital privacy” have been attracting major headlines since the SEC’s Proposal in March 2022, whereby public companies (and investment firms’) Boards of Directors share the burden of cybersecurity supervision, compliance, and risk mitigation. While the SEC’s proposals have garnered both applause and criticism from across industries, what’s clear is the migration of ‘digital security’ conversations from the tactical (or “ground”) level to implementation and oversight at the strategic level. While creating a seat on the Board for a senior-level, experienced, cyber expert may work in some instances, careful consideration should also be given to outside advisers and consultants - given the plethora of domains required for compliance purposes.
Verizon recently released its 2023 Data Breach Investigations Report; in which many of the statistics and attack vectors wouldn’t surprise most people living in the digital age, and especially those who have been the victim of identity theft or attempted social engineering attacks. However, as shown in Figure 21,
“Personal Data” represents the largest set released in data breaches. This Personally Identifiable Information (“PII”) can be that of “customers, partners, or employees.”
Market impacts of such a breach include modified consumer behavior (i.e. lack of perceived trust and a steeper elasticity of demand curve), regulation costs and fines, reduced efficiency ratios (expenses as a percentage of revenue increase with additional training and internal controls), and, in the case of states like California, Delaware, Florida, Iowa, and Rhode Island, disclosure to the media in cases where 500 or more consumers are affected. Combine this with the growing sophistication and types of social engineering incidents, and we arrive at a stage where Information Security (“InfoSec”) must be a shared responsibility across the board.
Time is Ticking
A recent article in the Wall Street Journal highlighted the importance of not waiting for new rules on cybersecurity, privacy, and emerging technologies to be finalized before preparing for such changes. Numerous arguments can be made for acting sooner rather than later, but two to highlight are: (1) a lack of senior executives with the “right experience” and who can translate/transfer that knowledge from the department-level to a more firmwide (or potentially international) approach; and (2) education, both in terms of keeping up with privacy regulation at the state and federal levels, and training down to the individual level.
Kim Nash recently wrote an article, in which the claim was made that cyber chiefs with directorship training and experience on advisory boards is simply not enough in gaining a seat on the Board. A lack of broad business experience and advanced degrees may portray that the candidate is a “one-trick pony.” Meanwhile, the New York State Department of Financial Services proposed changes last year requiring boards to include experts (or hire external advisers) in “15 different domains including network security, consumer data privacy, and third-party service management.”
Regardless of personal opinion, finding the right person to fill such a crucial seat takes time and careful consideration. To fill that void, many companies are opting to hire consultants in the search for a new Board Member, plan for upcoming legislation and proposals, and educate their staff.
The Need for Privacy Experts on the Board
Looking at education from a macro perspective, the United States follows a sectoral model of data privacy law. This contrasts with the European Union’s comprehensive model under GDPR. As a result, various data privacy laws and regulations have been passed (or are at various stages within the legislative process) within each state. The International Association of Privacy Professionals (“IAPP”) produced a detailed graphic (seen below), which tells us not only that it is vital to keep up to date with current changes, but also that further updates are on the horizon. Impacts of such updates will affect almost every aspect of operational risk and due diligence (i.e. human resources, marketing, sales, data & analytics).
It was mentioned earlier that PII and personalized credentials are oftentimes the most common data identified in data breaches, and that one of the 15 different domains covered within cyber security expertise required under proposed NYDFS regulation is consumer data privacy. Both of these factors play into the micro piece of digital privacy and education, especially when the term “consumer” applies to both recent hires and board members, alike. With an estimated 3.4 billion spam emails sent every day, over 400 different data broker websites purchasing and reselling personal data, and the complexities of understanding artificial intelligence, bad actors and fraudsters are actively targeting personal identities. External service providers, educators, and consultants can help fill the time gap associated with hiring expertise at the Board level, while at the same time bridging the gap between corporate-level cybersecurity infrastructure and personal electronic devices. Those same third parties can also serve (in a redundant effort) to reinforce best practices of existing InfoSec program directives and may also be able to reach the executive assistants and family members to C-Suite executives.
In summary, there is no end in sight to the growing cyber risks faced by public companies and their executive leadership teams. Through regulation and coordination with federal and state governments, various policies and procedures will be updated and implemented to stay ahead of “cyber risk curve.” While some firms may be able easily add cybersecurity to the boardroom in a timely manner and ahead of proposed legislation, most others may take additional time and resources to do so. In the interim, consultants and third-party service providers can assist in bringing expertise and education to the boardroom, employees, and families.