March 2, 2023 | 15 minutes
Woe betide the corporate board who doesn't take cyber security threats seriously. The 2022 Security and Exchange Commission's cyber security proposals are expected to kick in the next few weeks. However, are the boardrooms ready? Worryingly, some reports suggest that the majority should be having last minute panic attacks. In this edition of Reimagining Cyber Extra, Rob Aragao and Stan will be addressing discussing what corporate boards and CISOs need to be doing.
Reimagining Cyber Extra! | SEC Cyber Rules Forcing Corporate Boards to Pivot | Rob Aragao and Stan Wisseman
[00:00:00] Stan Wisseman: Welcome back everyone, to another Reimagining Cyber Extra episode. I'm Stan Wisseman with Rob Aragao, my co-host. You know, by the end of 2022, it was almost cliche to say that cyber risk needs to be thought of as a business risk. I mean, from Log4j to the ongoing ransomware epidemic we just talked about a couple weeks ago to countries engaging in open cyber conflict.
[00:00:27] Stan Wisseman: If you think about what's going on in Ukraine and the events of 2022 certainly demonstrated that cyber incidents are very real and need to be taken seriously. And one group in particular that is increasingly having to take notice Rob is the corporate board, right?
[00:00:43] Rob Aragao: No question. We've talked about that quite a bit through different episodes and even beyond just the people that we're having on, on the podcast talk about this.
[00:00:51] Rob Aragao: It's, it's this critical need for the board itself to really understand what the actual risks are associated from a cyber perspective right There's just so many different kinds of elements that come into play. Last year was just kind of this monumental year that you know, starts getting to that point of, let's understand, you know, how we actually are, are looking at the ramifications of cyber incidents.
[00:01:15] Rob Aragao: We've also discussed that there's this kind of, you know, vernacular that gets thrown around from a technology perspective and, and that kind of technology mindset that doesn't always jive to what the business or a board member for that matter is understanding. So, you know, the good thing is we've seen a lot more of this inflection point occur.
[00:01:31] Rob Aragao: There's some things happening, but when you think about it, you know, boards are asking these questions now, you're hearing boards ask questions about, you know, what are the actual business critical assets that we have relative to the threat, you know, landscape, the threat. To them from a cyber perspective that we have to take into consideration, how does that impact our business overall?
[00:01:48] Rob Aragao: And so those type of questions, that's a very positive, you know, kind of aspect of how we're seeing the shift to realizing the implications of cyber. So, you know, one of the things that, as we were just saying is there's a big shift, there's a big push, but there might not be as big a push that we've ever seen in the past as one that's coming that's all about what the SEC is looking to Do you mind jumping to that a bit, Sam?
[00:02:09] Stan Wisseman: Yeah, sure. I mean, I, I think. is back in 2022. So last year that the US Securities and Exchange Commission here first proposed that publicly traded companies have to report within four days if a cyber incident is “material” Mm-hmm. . And that requirement also applies when a series of previously undisclosed or individually immaterial cybersecurity incidents has become material in, in aggregate, and this rule.
[00:02:40] Stan Wisseman: was again, proposed last year, could become final in April. And this may not be new news for a lot of folks. It shouldn't be because it's been out there as something that's been reviewed and talked about, but it's coming. And this could have an impact to every public company.
[00:02:54] Rob Aragao: Well, that's the key. It's every public company.
[00:02:57] Rob Aragao: What are some of the things that are required as it relates to disclosure, right? So, they have to actually disclose the particular event or incident was discovered and whether it's been resolved, remediated, or if it's still ongoing. The specific details and description of the nature and the scope of the incident that again, has occurred.
[00:03:19] Rob Aragao: whether any data was stolen, anything was altered, accessed or used for any other unauthorized purpose. The effect, right of the incident on the operations, right? Again, connecting back to the business operations, what the impact was there. These are things that they're tying into and have to disclose also through the AK form.
[00:03:35] Rob Aragao: Mm-hmm. and then actually keep up, right? And include in the 10 k in essence, the annual report, right? So, you're going to see all this stuff to the public world. And this is another thing about impact to the business shareholder value, right? The brand and all those kind of elements that come into play.
[00:03:49] Rob Aragao: That, again, we've talked about a lot. This is really kind of the finally the teeth behind making a reality and that the need for what the board members are going to have to get involved with.
[00:04:00] Stan Wisseman: I think the whole purpose of this is to try to increase transparency around cyber security, risk management, and governance, and how organizations are doing this.
[00:04:09] Stan Wisseman: The rule is designed to compel boards that haven't been taking cybersecurity seriously to do so. But I do think it's also created some trepidation or some concern between the board of directors and those that are in the front lines, the CISOs or the directors of information security.
[00:04:29] Stan Wisseman: I think it puts some tension on those relationships. And some uncertainties as far as you know, who's going to. the work to actually do that, reporting effectively
[00:04:42] Rob Aragao: On that point, who's going to be actually responsible for, you know, kind of going through and governing the cyber risk aspect?
[00:04:48] Rob Aragao: And you've heard some, well, geez, it just fits into what the audit committee does today. Well, yes and no, and more so on the no side, because you know, there's not this connection back into what the technology risks are, per se, and the cyber instance impacting them. And gosh, don't they already have enough on their table.
[00:05:05] Rob Aragao: And what they have to deal with. That's going to be interesting to see.. I think it may start out there with some organizations but they'll probably quickly find out that they need to actually kind of segment that up a little bit more I would think.
[00:05:16] Stan Wisseman: Well to your point, I think they've either relegated cybersecurity, the audit committee, or they've brought down a couple board members that might have the technical prowess to be able to ask the right questions to be able to govern it effectively.
[00:05:28] Stan Wisseman: But it, you know, it's interesting. I saw a recent. Survey by Diligent Institute. They are focused on corporate boards and they surveyed 300 different board directors about their, you know, understanding of cybersecurity and the majority - and this isn't too surprising.- admitted that they really do struggle with the technical concepts, the vocabulary that you and I are very familiar with, but it's not their domain.
[00:05:54] Stan Wisseman: They're more, you know, associated with business and this is really a foreign area for them and their lack of fluency around the language of cyber risk, I think. You know, is, is going to be a challenge. Do you have to have some kind of additional education to help these board members out to be effective?
[00:06:12] Rob Aragao: Right, right. And that's also part of the ruling, right? They're calling out the need for Someone or a couple members on the board to have some sort of, you know, cybersecurity expertise to what level, right? That's kind of the little gray area obviously at this point. But again, I think the boards will obviously, and the organizations will obviously see the need to ensure that there's some form of SME from a cyber background.
[00:06:33] Rob Aragao: There to do the interpretation. I think we all need to do a better job of interpreting it for the business in the first place. And that will come over time again as this matures. But just understanding that there's a need for being able to say, hey, we need to have board member presence that has cyber experience.
[00:06:49] Rob Aragao: We need to either break things out into more of a committee that is cyber oriented. We also have to answer questions asked, you know, what's the frequency, kind of the cadence of our discussions relative to cyber. Right? Right.
[00:07:02] Stan Wisseman: You can't just do it annually anymore. You need to have 'em much more frequently
[00:07:04] Rob Aragao: and different CISOs that we've talked to ourselves.
[00:07:07] Rob Aragao: Right. Stan, as it relates to, what is it? As far as their conversation at that point when they're, you know, engaging with the board. Well, on average I've got maybe about seven minutes to go in and discuss, you know, here are the things that we're seeing. Here are the ways that we've dealt with things that may have impacted us.
[00:07:24] Rob Aragao: Here are the things that we've found as gaps and how we're filling those gaps. You know, this is kind of the, the vision forward. And some of that behind that kind of readout, if you will, is translating also. Here's how I'm asking for additional funding too, to get to those things as well. Right. So it's, it's going to be even a, a bit trickier, but again, I think, you know, just the, the role of the CISO.
[00:07:43] Rob Aragao: Is going to change even further than what we've seen. Right. We've talked about this for a while. Mm-hmm. reporting structure. Mm-hmm. as an example. Mm-hmm. , right. The CISO reports to the CIO in some cases, and in other cases it reports to other parts of the business. This is going to push it really, I would think, for most organizations to completely rethink where the CISO reporting structure is.
[00:07:59] Stan Wisseman: Well, they may have to be at the table. I mean, they may actually be a, a, a truly a C-level executive as opposed to reporting to either the CIO or the CFO or the CRO.
also hope that hopefully better or greater understanding of the domain and the issues and the stressesa nd the pressures on the CISO and the information security organization and what they have to deal with every day Hopefully we'll arm them, you know, the, the board will give them the resources they need.
Not saying that they aren't funding security. Many times they are, but they need to take the actions to help build in that resilience into the organization. And hopefully they get enough awareness of the topic area and the understanding of the vocabulary well enough to be able to have true conversations about where to best fill in those gaps.
[00:08:51] Stan Wisseman: Agreed.
[00:08:52] Rob Aragao: Completely agreed. I think, you know, the other thing, as I've seen a bit more of this happening, you're seeing some of these, let's say pioneers, This model, if you will, of how they engage at this, at the board level from a CISO role, take it in the approach where the CISO has gotten to the point in that more, let's say, kind of evolved or mature, mature organization, knowing how to have that right conversation with the right vernacular being used.
[00:09:18] Rob Aragao: And they're very much also from a day-to-day business operation, interacting at the business kind of level of discussion. Mm-hmm. and outcomes, what's our roadmap for our business strategy? And then the deputy CSO is now the person that's been more of the, okay. You're going to be taking on the reins of really the technical aspects, the technology, right?
[00:09:37] Rob Aragao: There'll be a security architecture kind of individual that may be mapped back in to support you as well, but you'll be doing all of that assessment as to, how these things translate down into what the actual technology areas are we focusing on, or the actual implementation.
[00:09:49] Stan Wisseman: Yes. Of how do you close those gaps?
[00:09:53] Rob Aragao: Right, right. So I think all of it, you know, again, it's, it's a great sign of the times of maturity even that role of the BSO right. We've seen that. continue to evolve and that translation there again, is needed. And that's in bigger organizations obviously, where it's much more, there are different lines of business.
[00:10:07] Stan Wisseman: No, but you've, you've embedded in the, the security officer into that business unit. to be able to have that context mm-hmm. for why that business is trying to do what they're doing, and then how do you secure it to be able to fulfill their mission.
[00:10:19] Rob Aragao: All the relationships Right. Are established on, and, and there's really good synergies there to understand how we actually work together to get the outcomes they need and how we ensure that cyber is again, embedded into it.
[00:10:28] Rob Aragao: So a lot going on at this point in time. I think it's a very interesting aspect to see kind of how this, this changed. The other thing on this that's going to be interesting is what's the ramification of the SEC ruling going into. and how is it translated into organizations back to the cyber insurance coverage, right?
[00:10:45] Rob Aragao: Cause they're going to be required, but like is it adequate enough? What are they looking at and what are the needs that they got forward and how does that actually kind of change things up potentially in that arena as well? That'll be interesting to say. Well,
[00:10:56] Stan Wisseman: I, think that, you know, some organizations have played fast and loose with their disclosures.
[00:11:00] Stan Wisseman: Mm-hmm. and haven't necessarily been even transparent. There are a lot of organizations that don't disclose what's going on. I think we were talking about this in the context of the ransomware attacks and, and how a number of organizations were helped by the hive take down. Quite a few weren't because they didn't disclose the law enforcement what the heck was going on, right?
[00:11:19] Stan Wisseman: So they couldn't get helped. And so, you know, I, I think that, you know, this new rule should reinforce the need to be more diligent and the disclosure. But you and I both know it's not easy. I mean, that four day requirement as you're still trying to understand what's going on with the incident and having to react as quickly as you.
[00:11:40] Stan Wisseman: but at the same time, you're juggling the rest of the business.
[00:11:46] Rob Aragao: It's, it's, it's going to be a challenge for businesses, I think to, to comply effectively. I think it's going to be a major challenge because for the majority of the businesses, by far, it's going to be where there's really this need to create a new process.
[00:11:56] Rob Aragao: Right? How do we, in essence, kind of the measure things from a quantitative and a qualitative. Determined that it's actually something that you know is occurring and here's details associated to it being material, quote unquote, that we need to now go and disclose, right? And, and again, follow that process.
[00:12:13] Rob Aragao: To do the right thing in the right time. Four day window is a very tight time in it, in actuality.
[00:12:18] Stan Wisseman: Yeah, so a again, you know, board of directors can no longer ignore cyber security. I think if you aren't already familiar with this proposed SEC rule change, I recommend you look into it, especially if you're a publicly trading company and, you know, recognize that the leadership of your information security team needs the resources to be able to effectively respond and the time constraints put in place.
[00:12:43] Stan Wisseman: So, hey. Another extra episode. It's been great talking to you about this. Till next time, as always.