Global regulatory pressures are closing the cybersecurity governance gap
Recent pressure on cybersecurity governance from governments, regulators and independent organizations has increased in intensity, resulting in highly prescriptive requirements mandating not only objective protective measures—the primary purview of management—but also highly subjective, intangible governance standards targeting the fiduciary responsibilities of the board of directors. Meeting the objective requirements is tedious, time-consuming and costly, but the process is straightforward. However, meeting the growing international pressure to comply with subjective, intangible standards related to governance is not.
Bringing the challenge into perspective
These new demands are testing and challenging the ability of boards of directors to govern and of management to deal with cybersecurity. The stakes are high. Failure to meet these requirements may lead to adverse financial outcomes such as loss of market value, inability to access certain markets, and financial penalties, plus potential legal and enforcement actions against management and board members. Below are three examples of where this trend is playing out.
Example 1: Securities and Exchange Commission (SEC) cybersecurity incident disclosure rules
In the U.S., the SEC has taken enforcement action against registrants, alleging that incident disclosures do not match internal processes. In addition, recent SEC rules require registrants to disclose both qualitative and quantitative consequences of material incidents, including impacts on their financial condition and operations.
The materiality test goes beyond financial and operational results to include reputational harm. According to Forbes, early disclosures under this new rule are drawing criticism that registrants are failing to meet these requirements because they are not sufficiently disclosing the qualitative and quantitative impacts on their business.
The SEC, key stakeholders and investors may question how a company can determine materiality without estimating its impact both qualitatively and quantitatively.
Example 2: New York State Department of Financial Services (NYDFS) cyber requirements
The NYDFS recently issued highly prescriptive regulations and minimum requirements for financial services companies licensed to operate in New York. These include annual certification of material compliance by both the CEO and the chief information security officer.
The NYDFS requires the management team to certify that the board of directors is exercising cybersecurity oversight, has a “sufficient understanding” to exercise such oversight, and is allocating “sufficient resources to implement and maintain an effective cybersecurity program.”
Notwithstanding the fact that management is not responsible for governance, and therefore is not in a position to make that certification, boards need to ask themselves how to comply with this requirement. Questions include:
- How will the board develop “sufficient understanding” of cybersecurity and exercise oversight?
- How does the board ration capital for cybersecurity?
The NYDFS may impose financial penalties for noncompliance. Like the SEC, the NYDFS is applying pressure to close the cybersecurity governance gap.
Example 3: Australia’s ‘Governing Through a Cyber Crisis’ guidelines
Another example of regulatory pressure on board governance comes from Australia, which recently issued 62 pages of prescriptive guidance on cybersecurity oversight aimed at boards of directors.
This guidance does not yet have the force of law. However, it suggests that changes are forthcoming to the Australian Privacy Act, which, like the EU General Data Protection Regulation (GDPR), will impose prescriptive requirements and financial penalties for noncompliance.
The latest regulatory requirement affecting cyber governance: NIS2
Perhaps the most powerful regulatory mandate creating pressure to close the cybersecurity governance gap comes from the EU, which recently updated its Network and Information Security Directive (NIS2). Its goal is to achieve a “high common level of cybersecurity” across the EU.
NIS2 is effective in October 2024 and targets critical infrastructure entities that provide essential and important services. It applies to both EU entities and those doing business in the EU. Article 20 of this regulation requires management bodies (i.e., C-suites and boards of directors) of essential and important organizations to:
“… approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements …”
In addition, C-suites and boards of directors are:
“… required to follow training and … to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”
How will boards of directors and C-suite executives become trained? NIS2 prescribes significant penalties associated with noncompliance.
Similar prescriptive governance provisions can be found in the EU Digital Operational Resilience Act (DORA), which deals with information and communications technology resiliency for financial services entities.
The implication of prescriptive directives from NIS2, DORA, the SEC and others is clear: Boards must amp up their oversight. Governments and regulators are forcing boards of directors and C-suite executives to be trained and educated on cybersecurity along with their employees so that they develop the knowledge and skills to meet their governance duties. The regulatory message is that the failure to do so can lead to insufficient oversight and result in noncompliance penalties and legal risk to officers and directors.
Bringing it together
These evolving and pressing global cybersecurity prescriptive requirements are changing the standards that boards of directors must meet to satisfy their “duty of care” legal obligation. Pressure from governments and regulators is on the rise, particularly as cybersecurity incidents persist and evolving AI implementations introduce new digital risks.
Boards would be well served to start on the road to improve cybersecurity and digital risk governance by taking the following steps:
- Organization: Review and evaluate the efficacy of your organization related to digital risk oversight. Reorganize and revamp management reporting, policies and procedures as necessary.
- Education: Embark on a continuous educational program throughout your organization, starting with the board, to develop the institutional judgment required to evaluate threats to complex digital systems. The ability to govern systems requires knowing how they work.
- Culture: Stress the shared responsibility of digital risk governance throughout the organization.
Digital risk governance is the responsibility of the board of directors and cannot be delegated to the management team. These evolving standards will require substantially more board involvement and an appreciation that there are no “check-the-box” solutions for digital risk oversight.