Cyber Risk Disclosure: Navigating the Board’s Role in Transparency
As we continue our exploration of the critical role of board directors in cybersecurity governance, we delve into an often-overlooked aspect: cyber risk disclosure. In today’s interconnected and data-driven world, transparency regarding an organization’s cyber risk posture is essential.
The Changing Landscape of Cyber Risk Disclosure
In recent years, the regulatory landscape surrounding cyber risk disclosure has undergone significant changes. In the European Union, the General Data Protection Regulation (GDPR) mandates that companies operating in Europe must report data breaches to national authorities within 72 hours or face substantial fines. This is just one example of the increasing emphasis on transparency in cybersecurity governance.
Preparing for Disclosure: Board Oversight
While the responsibility for public disclosure often falls outside the boardroom, board directors play a crucial role in ensuring that their organization is well-prepared for disclosure before and after a breach occurs. Effective oversight includes developing and implementing disclosure controls and procedures.
Facing Regulators
For publicly traded companies, regulatory non-compliance due to a material breach can lead to legal penalties. In the United States, state governments set the level of fines, which can be substantial. It’s imperative that the board ensures that the organization can demonstrate good faith efforts to prevent cyber risks and disclose material breaches.
It’s equally important to be aware of notification costs imposed by local governments. In some states, like Alabama, failure to comply with notification laws can result in significant daily fines. A failure to comply could lead to additional legal, financial, and reputational costs. Therefore, the board’s oversight of the disclosure procedure is crucial to avoid non-compliance amid the chaos of a cyber incident.
The SEC’s Guidance on Cybersecurity Disclosures
The U.S. Securities and Exchange Commission (SEC) has issued interpretive guidance on cybersecurity disclosures. It includes restrictions on trading by insiders if the organization is investigating a cybersecurity breach. This is to prevent corporate insiders from trading before the company’s public disclosures regarding a material cybersecurity breach. Boards must be aware of the potential legal consequences for both the company and individual executives regarding insider trading.
Investor Scrutiny and Litigation Risk
Institutional investors are increasingly focusing on risk governance and cybersecurity. When board oversight of cyber risk is perceived as lacking, organizations can become the target of lawsuits. To mitigate this risk, boards must demonstrate that there is adequate expertise among directors, with training in cybersecurity and legal backgrounds where necessary. Boards should also be prepared to answer questions from institutional investors.
Creating a Disclosure Plan
To ensure effective cyber risk disclosure, the board and management should collaborate on a comprehensive disclosure plan. This plan should define which leaders will speak publicly in the event of a breach and what information will be disclosed. It should also be adaptable to evolving incident scopes, as the impact of a breach may change over time.
Facing the Public
While directors should not typically speak to the press, it’s crucial to be prepared for media interactions during a cyber incident. Cases exist where CEOs were replaced by chairpersons in crisis situations. Being ready to control the narrative and address the public’s concerns can be vital.
Board Oversight Questions for Cyber Risk Disclosure
Here are some questions board directors should consider:
- Authorized Communicators: Who is authorized to communicate with key stakeholders during a major cyber crisis? Are lower-level customer-facing employees prepared to handle inquiries during a breach, such as call center staff?
- Reporting Procedures: What are the organization’s procedures for reporting cyber incidents to authorities, such as law enforcement and regulators?
- Stakeholder Communication: How and when should the organization communicate with various stakeholders? Should the organization disclose information to the press, employees, suppliers, investors, and customers at different times?
- Insider Trading Measures: What measures are in place to prevent insider trading when investigating a cyber breach?
- Benchmarking Disclosure Processes: How effective are the organization’s disclosure processes compared to industry leaders and best practices?
Conclusion
Effective cybersecurity governance requires proactive preparation for disclosure before and after a breach occurs. By understanding their role in this process, board directors can help their organizations navigate the complex terrain of cyber risk transparency while maintaining stakeholders’ trust.
Larry Quinlan
Sources:
- IMD — (Board Oversight of Cyber Risks and Cybersecurity)
- HBR — (7 Pressing Cybersecurity Questions Boards Need to Ask)
- MIT — (Cybersecurity: Board Perspective)
