Strengthening Cybersecurity Risk Management: A Call to Action for Corporate Boards

In this month's article, I wanted to discuss the recent events related to the SolarWinds executives receiving a Wells notice and what corporate board members should be thinking about and doing to reduce the likelihood of this happening to them in the future. Since I recently completed the Qualified Technology Expert (QTE) from Digital Directors Network conducted by Bob Zukis , this event is timely. Much of what we learned in that course will directly impact the prevention of corporate leaders becoming recipients of these notices.

First, I'd like to explain what an SEC Wells notice is and what it means to anyone with the unfortunate pleasure of receiving one. An SEC Wells notice is a formal notification sent by the U.S. Securities and Exchange Commission (SEC) to individuals or companies when the SEC is considering bringing legal enforcement action against them. It is named after the Wells Committee, which recommended its implementation.

Think of an SEC Wells notice as a warning or an early indication that the SEC is investigating potential violations of securities laws. The notice typically outlines the allegations and evidence gathered by the SEC during its investigation. It allows the recipients to respond and present their case before the SEC decides whether to proceed with legal action.

Receiving an SEC Wells notice is a serious matter because it signals that the SEC believes there may be sufficient evidence of wrongdoing. It is crucial for the recipients to carefully review the notice, seek legal counsel, and prepare a persuasive response to present their side of the story. The response can include explanations, evidence, and legal arguments to counter the SEC's allegations and potentially avoid formal enforcement actions, such as fines or legal penalties.

Ultimately, the SEC Wells Notice is a critical step in the SEC's enforcement process. It gives individuals and companies a chance to defend themselves before any formal legal actions are taken, and the SEC proposed new cyber rules slated to be finalized in October. Corporate leaders must be proactive concerning cyber risk. This issue is now more than just a technical problem but a business imperative that, if addressed, can lead to severe consequences. With this in mind, let's talk about what corporate leaders and the Board should consider from a cyber risk management standpoint to shed light on what board members should know and how they can proactively educate themselves to navigate these challenges successfully.

The current cybersecurity ecosystem (people, process, technology) primarily addresses technical-level threats used to mitigate risk. While the cybersecurity ecosystem continues to evolve, it still lacks the ability to contextualize cyber threats and incidents to business, operational, and financial exposures. The "material" determination is influenced by the incident's impact on the company's business, operations, and financial condition. Below is an enumeration of the types of business and financial factors that should be contemplated when determining incident materiality:

I recently had a discussion with Christopher Hetner , an industry expert and former cybersecurity advisor to the SEC chairman. Some of the things he advised executives to consider are the types of costs and adverse consequences that companies may incur or experience as a result of a cybersecurity incident include the following:

? Costs due to business interruption, decreases in production, and delays in product launches;

? Payments to meet ransom and other extortion demands;

? Remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers or business partners in an effort to maintain relationships after an attack;

? Increased cybersecurity protection costs, which may include increased insurance premiums and the costs of making organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third-party experts and consultants;

? Lost revenues resulting from intellectual property theft and the unauthorized use of proprietary information or the failure to retain or attract customers following an attack; Litigation and legal risks, including regulatory actions by state and federal governmental authorities and non-U.S. authorities;

? Harm to employees and customers, violation of privacy laws, and reputational damage that adversely affects customer or investor confidence; and

? Damage to the company’s competitiveness, stock price, and long-term shareholder value.

Cyber risk management is a team sport that requires the entirety of the enterprise to ensure business resilience. What is required is a more inclusive message and collaboration that includes all enterprise risk management leaders.

Technology changes quickly, and cyber threats do, too. Static analyses of today’s risk are less helpful than establishing a regular flow of information to the board that supports cybersecurity investment decisions based on business, operational, and financial considerations. With the board’s eyes regularly on cybersecurity as an aspect of routine governance, directors will be equipped to comply with the SEC’s new requirements.

In today's digital landscape, cybersecurity risk management has become a critical priority for organizations across industries. With the proliferation of cyber threats and the potential impact on business operations, customer trust, and brand reputation, corporate boards must actively oversee and manage cybersecurity risks.?

Understanding the Cybersecurity Landscape:?Board members must grasp the evolving cybersecurity landscape and its implications for their organizations. They should maintain awareness of the ever-evolving threat landscape, including emerging attack vectors, evolving regulatory requirements, and industry-specific risks. Developing a foundational understanding of cybersecurity principles and practices is crucial to oversee risk management strategies effectively.

Educate and Empower:?To avoid receiving an SEC Wells notice and to fulfill their fiduciary duty, board members must proactively educate themselves on cybersecurity matters. Include actions such as:

1. Board-Level Cybersecurity Committees: Consider establishing a dedicated cybersecurity committee within the Board to focus specifically on cybersecurity risk management. This committee can assess cybersecurity strategies, incident response plans, and risk mitigation efforts regularly. This action is critical since most technology and cyber risks are often covered within most Audit committees. The current committee structure can create gaps in understanding and competing priorities in addressing cyber risk. As consider having members of this committee as part of the Audit committee. See FedEx's Cyber and Technology Oversight Committee as an example https://investors.fedex.com/esg/board-of-directors/committee-charters/information-technology-oversight-committee-charter/default.aspx
2. Cybersecurity Training: Participate in cybersecurity awareness and training programs tailored to the specific needs of board members. These programs should cover threat landscape awareness, incident response protocols, and regulatory compliance.
3. Engage Cybersecurity Experts: Seek guidance from cybersecurity professionals with the knowledge and experience to provide insights on risk management strategies, emerging threats, and regulatory compliance. Establish a direct line of communication with the Chief Information Security Officer (CISO) and other cybersecurity personnel to stay informed and ask relevant questions.
4. External Resources: Leverage external resources such as industry reports, research papers, and best practices from reputable cybersecurity organizations like NIST, ISO, and CIS to stay updated on the latest trends and recommended security controls.

Effective Oversight and Reporting: Board members should actively engage in oversight activities to ensure that cybersecurity risk management integrates into the organization's overall governance framework:

1. Establish Clear Reporting Lines: Ensure that the CISO or equivalent cybersecurity executive has direct access to the Board. This action facilitates effective communication, allows for prompt reporting of significant incidents, and ensures the Board is aware of ongoing security initiatives.
2. Regular Risk Assessments: Encourage comprehensive and periodic cybersecurity risk assessments to identify vulnerabilities and prioritize mitigation efforts. Board members should review risk assessment reports and actively participate in discussions to deliver insights and guidance.
3. Incident Response Preparedness: Ensure the organization has a well-defined and regularly tested incident response plan. Board members should review the plan, validate its effectiveness, and ensure appropriate resources to incident response preparedness.

As cybersecurity threats evolve, corporate boards must play an active role in addressing cybersecurity risk management. By understanding the cybersecurity landscape, proactively educating themselves, and engaging with cybersecurity professionals, board members can enhance their oversight capabilities and mitigate potential risks. This approach protects the organization from cyber threats and safeguards the interests of shareholders, customers, and other stakeholders. By taking a proactive stance, board members can minimize the risk of receiving an SEC Wells notice and demonstrate their commitment to effective governance and cybersecurity resilience.

Articles of Interest