It’s Happening Again – Massive Change Expected to America’s Boards of Directors, 20 Years After Sarbanes-Oxley
Not since 2002 and the passing of the massively consequential Sarbanes-Oxley Act, when the Security and Exchange Commission (SEC) required America’s boards of directors to appoint Chief Financial Officers and form audit committees, has there been such a critical impending change to board skillsets and reporting. Expected by the end of this year, the SEC has once again identified a serious gap in board expertise, governance, planning, accountability, public disclosure and response – this time in the areas of cybersecurity and risk assessment – and is making regulations to address them.
“Strengthening the boardroom for cyber control in 2022 is as vital as strengthening the boardroom in critical financial reporting control was in 2002.”
– Harvard Law School Forum on Corporate Governance,
Proposed SEC Cyber Rules: A Game Changer for Public Companies
The SEC’s proposed amendment requires boards to begin reporting about material incidents and providing updates; initiating and reporting on policies and procedures to identify and manage those risks; reporting on their impact to the bottom line; reporting their resolution; and notifying investors about those incidents. Thus far, the SEC has only talked about the specific outcomes they want to see implemented and not provided specifics about how companies can best satisfy the new requirements.
DHR Global has been actively focusing on what the right cybersecurity expertise encompasses at the board level, how it will dovetail with other board positions such as the Chief Information Officer, and is recommending its clients get ahead of the new rules by recruiting highly qualified Chief Information Security Officers (CISOs) to take their seats at the table as board directors. According to DHR’s proprietary research, to date, only 7 of the 500 largest public companies in the U.S. have an experienced CISO currently sitting on their corporate board of directors.
“Among our clients we are increasingly seeing that cybersecurity is becoming a new agenda item at every board meeting,” said Heather Smith, Partner in the Board & CEO Practice at DHR. “Our research shows that the vast majority of boards do not have a CISO among them. As such, non-technical board members are called on to provide guidance on cybersecurity risk. It’s becoming apparent that there is a specific cybersecurity skillset that we are recruiting for to meet both the current need and the impending SEC requirement.”
“The ideal board CISO provides a competitive advantage and brings relevant, recent experience from the last two years, has a long lens when it comes to the latest cyber vulnerabilities and a strategic, proactive outlook, and is able to communicate effectively regarding what risk management entails at the board level. They understand IT security but also the company’s strategy and how IT should support that strategy,” added Kathryn Ullrich, Managing Partner in the Advanced Technology Practice at DHR.
The Threat is Varied Affecting Every Segment and Industry
What has caused this massive threat and critical omission at the board level? Digital technologies and their impact on the modernization of networks and infrastructures are at the heart of the issue. Already in play, these changes have been sped up out of necessity by business closures and remote workers due to Covid, workplace re-openings and a newly hybrid workforce, supply chain disruptions, applications and operations moving to the cloud, a slew of new Internet of Things (IoT) devices and multi-domain networks in which Operations Technology (OT) and Information Technology (IT) networks are merging – all have meant that there are many new and ever-evolving avenues for hackers to take into the heart of economies, businesses and everyday life. According to the World Economic Forum, 70 percent of economic growth is now being driven by digital technologies.
First Some Eye-opening Numbers to Put with the Threat:
- Cyber-attackers can breach 93% of company networks, according to new research from Positive Technologies.
- Cyberattacks in 2021 increased by 50% when compared to 2020, as reported by cybersecurity firm Check Point.
- Cybercrime cost U.S. businesses more than $6.9B in 2021, the FBI told Newsweek in March 2022.
- 29% of CEOs and CISOs and 40% of CSOs (Chief Security Officers) admit their organizations are unprepared for a rapidly changing threat landscape, reports Thought Lab from their 2022 cybersecurity study.
Today’s cybersecurity threat takes many forms and can vary by industry. Among this year’s top issues according to CSO Magazine: ransomware, cryptomining/cryptojacking, deep fakes, video conferencing attacks, XDR (extended detection and response across endpoints, email, identity and access management, network management and cloud security), operational attacks against IoT and OT, and supply chain attacks such as the recent Solar Winds breach.
- Education: Outdated technology, massive stores of data and hybrid campuses are putting education at risk. Data breaches, phishing and ransomware are the top methods for attack here.
- Healthcare: In healthcare, it is the vast number of new medical and IoT devices now on the network that are most at risk with hackers targeting patient care devices and causing distributed denial of service attacks demanding ransom and holding hospitals hostage.
- Manufacturing: In manufacturing, as multiple OT, IT and cloud networks connect for the first time, the lack of end-to-end security is causing issues as new, wireless endpoints and legacy systems suffer from weak encryption impacting production and distribution.
- Energy: In energy, it is inefficiencies in identity and access management and a lack of system integration that causes vulnerabilities in the supply chain.
- Financial Services: Financial services continue to be threatened by data breaches from ransomware, phishing, web application and vulnerability exploitation and denial of service attacks.
Real World Voices from the Trenches
A former CISO at General Motors and Visa, and current advisor to CISOs and companies on how to effectively present to the board, James Christiansen has raised another issue beyond the lack of cybersecurity expertise. “Today’s guidance from the National Association of Corporate Directors about what the board should be asking falls short of the practical because it doesn’t provide knowledge of how to interpret the answers given to those questions,” he said in a recent conversation with DHR. “You have to watch for executives providing overly rosy pictures of the state of cyber readiness from dashboards that provide numbers but little understanding of the actual risk and how to address it.”
Meredith Griffanti is a senior managing director and co-leads FTI’s cybersecurity and data privacy communications team, one of the largest crisis communications practices focused specifically on cybersecurity. FTI has advised hundreds of companies including financial services firms, critical infrastructure operators, leading technology providers, hospitals, schools and the government on cyber incident response and preparedness. FTI’s recent research found that 82% of surveyed CISOs claim that they feel pressure to present a positive, ‘everything is covered’ picture to the board. “In today’s dynamic and fast-moving cyber threat landscape, it is essential for both risks and investment needs to be effectively communicated to the leadership and board of every company. Without a clear understanding at the highest levels of an organization’s cyber risk profile, companies will be left vulnerable to cyberattacks of all kind,” Griffanti said.
Andre Mintz, a 30-year veteran building and leading information security programs at global scale at companies such as Meta, financial services Newport Group, Red Ventures, Reuters, Microsoft and Kinko’s, was placed by Kathryn Ullrich as CISO on the board of Absolute Software (NASDAQ: ABST), an endpoint resilience solutions provider embedded in over half a billion devices. He described the role of a board CISO as, “My job as an integral part of the board is to participate not only at ‘report outs’ when cybersecurity comes up, but to be part of all the board’s discussion around business strategy, vision, direction so that I can clear a path and future proof or get ahead of where a company is going as it enters new markets or encounters threats. I want to ensure the right controls, certifications and processes are in place well before it is necessary so that the company doesn’t have to slow its progress and can remain agile no matter what the business encounters.”
Thanks to the SEC’s new cybersecurity requirements and the growing threats evolving from digital technology and the use cases and business models they enable, there is a huge opportunity for CISOs to broaden their roles into the boardroom.
This is the first in a series of articles on CISOs in the Boardroom from DHR. Next, DHR will reveal the results of a recent research study across 500 public U.S. companies on the topic and share education on what qualifications CISOs need in the boardroom.
Meet the Experts
Kathryn is a Managing Partner in DHR’s tech-focused Silicon Valley office, and a member of the Technology, Private Equity and Diversity Practices. Kathryn focuses on Board, C-suite and VP-level executive searches for leaders with skills in disruptive and innovative technologies, including cybersecurity companies and CISOs.
As a member of the Board & CEO Practice at DHR, Heather works with clients to successfully place C-level executives, chairmen, CEOs and board directors. Heather works with public, private and private equity-owned corporations across industries to build and refresh boards and execute CEO succession plans.