Discussion of cyber risk within corporate walls

Please weigh in: How will the SEC's action affect the discussion of cyber risk within corporate walls? Email me or reply to this newsletter. You might see your comments in a future edition.

Letter to the Editor WSJ Pro Cybersecurity

Dear Kim Nash,

I would like to express my personal thoughts on the SEC's recent actions and their potential effects on the discussion of cyber risk within corporate walls. The SEC's involvement is a significant step in the right direction. Cyber risk, like any other risk to a corporation, is indeed an enterprise risk that should be managed diligently.

One of the key issues in addressing cyber risk is the organizational structure that places CISOs under the CIO in many corporations, which can limit their direct access to the board of directors. Furthermore, the CEO or CFO may sometimes overrule the CISO, leaving them with responsibility but insufficient authority. This disconnect between responsibility and power needs to be rectified. (Quoted in the Wall Street Journal, 7 NOV 2023, page B5)

I strongly believe that this case will have a substantial impact, and it should. The outcome should lead to increased attention to cyber risk at the board level. Board members are expected to understand financial and legal risks, even if they aren't experts in those fields. Similarly, they should have a basic understanding of cyber risks, given the high reliance on technology and data in virtually all organizations. Cyber risks can have a direct and significant impact on financial and legal matters, making it imperative for board members to be informed.

While the SEC initially considered requiring board members to have a basic understanding of cyber risk, it's unfortunate that they backed off from this requirement. Such a requirement would have been a fundamental step toward proper governance. Without it, holding corporations accountable for failing to mitigate cyber risk effectively becomes challenging.

I hope the SEC will revisit and strengthen the requirements related to board members' understanding of cyber risk, as this is a critical aspect of corporate governance in today's digital age. With cyber risks being among the most significant challenges that organizations face, addressing this issue at the board level is not only prudent but also necessary for the protection of shareholders and the long-term success of corporations.

Thank you for providing a platform to discuss this crucial matter. I look forward to seeing how this issue evolves and how it shapes the future of cyber risk management and governance.

Sincerely,

Followup Article

"The U.S. Securities and Exchange Commission’s watershed lawsuit filed last week against tech provider SolarWinds and its top cybersecurity executive, Tim Brown, has sparked debate about the explicit and implicit responsibilities of corporate cyber chiefs. We asked readers how the case will affect the discussion of cybersecurity risk within corporate walls? Your many responses show that some CISOs are worried about personal liability and the cyber industry is divided on the complex issue. Read our full article on what your colleagues have to say." https://www.wsj.com/articles/how-will-the-secs-pursuit-of-solarwinds-affect-cyber-chiefs-readers-weigh-in-c7e7e8f0

What about Local Government?

The call for accountability and proactive management of cyber risk, as discussed in the letter to the editor, is equally relevant to local government entities. In a local government context, this means that elected officials and administrative leadership should take cyber risk seriously and prioritize it within their governance framework. Just as corporations are urged to have board members with cyber literacy, local governments should ensure that their elected officials and senior administrators possess a basic understanding of cyber risk. This knowledge empowers them to provide effective oversight, ask the right questions, and make informed decisions regarding cybersecurity measures. After all, in the digital age, local governments manage critical services, sensitive data, and taxpayer resources that deserve strong protection.

The principles of effective governance and oversight, particularly regarding cyber risk, should apply to local governments and elected officials in the same way they apply to publicly traded companies. The reason is simple: to protect taxpayers' investments. In an increasingly digital and interconnected world, local governments handle not only taxpayer money but also sensitive public data and critical services. A cyber incident in a local government can disrupt essential services, compromise public trust, and incur financial and legal consequences. Therefore, elected officials, similar to corporate board members, should be well-informed about cyber risks, engage in meaningful oversight, and ensure that their organizations have the necessary strategies and safeguards in place. Just as shareholders rely on corporate boards to protect their investments, citizens entrust elected officials to safeguard their resources and well-being in the digital age.

Just as boards of directors or elected officials require access to financial and legal expertise, they also need direct access to cyber risk expertise to ensure comprehensive governance. Local governments have dedicated individuals such as city attorneys and CFOs to provide insights into legal and financial matters, and similarly, having a Chief Information Security Officer (CISO) within the organization ensures access to cyber risk expertise. The role of a CISO is distinct from that of a Chief Information Officer (CIO), focusing on the management of cybersecurity risks. Elected officials and boards must understand that cyber risks are no less significant than financial or legal risks in the digital age. Just as they entrust CFOs and city attorneys for financial and legal guidance, they need a CISO to navigate the complex landscape of cyber threats and safeguards. This dedicated expertise empowers them to make well-informed decisions, exercise governance, and provide oversight necessary to protect critical services and taxpayer investments effectively.