In this day and age, cyber warfare is rampant. Cybersecurity is a major concern among organizations and governments alike. Imagine a situation where a company goes bankrupt because of a cybersecurity attack.
Now, what if it's a company listed on the stock exchange?
It's devastating and would be a financial wipe-off for shareholders.
So, the SEC proposed a rule that will be a game changer for all companies.
If this confused you, we got you covered, we'll explain -
What are the cybersecurity risks for organizations? What rule has the SEC proposed?
What is the impact of this rule on organizations, the board and shareholders? How to increase cybersecurity awareness in the boardroom? In the next few minutes, we'll clear up all your questions.
So, let's dive right into this, shall we? What are cybersecurity risks for organizations?
Does your organization have fire alarms and extinguishers in the building? Well, obviously yes.
But does the behaviour extend to cybersecurity?
Every organization - a gigantic or a small business, needs to secure their assets. With more internet penetration, the risk of cyber attacks drastically increases too.
Let's put it into perspective with numbers.
Ransomware, one of the most common cyberattacks had a 13% rise in 2022 which was a bigger spike compared to the last five years combined. (SOURCE)
Now, when we talk in terms of financial damage, this statistic will blow your mind.
As per reports by IBM, the average cost of a data breach globally in 2022 was $4.35M, with it being double in the United States at $9.44M (SOURCE)
Organizations have data that is worth billions. This makes them a target for cybercriminals.
There's not only one but multiple types of attacks.
So, to sum it up, every company is reeling from such threats.
Especially with hybrid work models becoming the new industry norm.
For small and medium businesses, the owners should heavily pour into cybersecurity.
However, for larger companies, it has to be approved. The decision finally falls upon the board of directors of these companies.
This is where the SEC proposal comes to relevance.
What rule has the SEC proposed?
Back in March 2022, the SEC a proposed rule titled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
For those who want to read the entire proposal, we are linking it HERE.
For others, we'll break it down into a short summary.
Before that, what is the SEC? The SEC or Securities and Exchange Commission is an independent agency of the United States federal government.
They oversee and regulate the securities market in the USA.
Apart from that, they protect investors against fraudulent practices.
Now you'll wonder, what have they go to do with cybersecurity?
Let's recall the introductory paragraph of the blog.
We spoke about the bankruptcy of a listed company in case of a cybersecurity attack.
This could potentially wipe out investor money.
That's where the SEC is stepping in and proposing a new rule.
As per this, public companies will have to disclose whether their boards have members with cybersecurity expertise.
Not only that, there are other provisions including how -
The company assesses and manages cyber risks.
The board is involved in cybersecurity insight meetings and the frequency at which it's conducted.
The management implements cybersecurity policies, procedures, and strategies.
The board incorporates potential attacks as part of its risk management, business strategies and the organization's financial plans.
Basically, the entire cybersecurity readiness of the company and board comes under the radar.
Now that we know the proposal, let's talk about how this will change things.
What is the impact of this rule on organizations, the board and shareholders?
Every organization will NEED be prepared for a cybersecurity attack. Yes, you heard it right. It's not only about securing themselves from a potential threat.
There also needs to be a backup recovery plan in case of a successful cybersecurity attack.
And this has to be done with little to no damage to the operations of the company.
Alongside business continuity, the financial and reputational damage should also be controlled.
This would require insights and a clear action plan from the board.
The board members would NEED to possibly overhaul their existing plans and invest heavily in cybersecurity.
As the disclosure will give comprehensive data on cybersecurity capabilities.
It would directly affect the stock price of the listed company.
Also, it is predicted that by 2025, 60% of investors and VCs will use cybersecurity risk as a key factor in assessing new business opportunities. (SOURCE)
So, the board can no longer divert the focus on the yearly cybersecurity and phishing training. Robust action would need to be taken by them in this aspect.
The report would help the shareholders/investors to make informed decisions while investing in companies.
Moreover, the existing shareholders can also vote for the board members based on their cybersecurity experience. So by and large, it would be beneficial for everyone in the long run.
This brings us to our final question of how can the board be actively involved. How to increase cybersecurity awareness in the boardroom?
It all comes down the how the board of directors handle this. Let's discuss how organizations can facilitate better awareness -
Bridge the gap between board members and the cybersecurity team. The CISO (Chief Information Security Officer) will play the most vital role in maintaining communication and briefing the board members about cybersecurity incidents. These meetings should take place regularly and other cybersecurity executives can be involved. This will keep the board updated about the findings and potential threats.
Cybersecurity readiness should be discussed in board meetings. Discussions should not be limited to the ongoing incidents but also the overall preparedness of the organization in the advent of a cybersecurity attack as discussed earlier.
Hiring external cybersecurity companies. Outsourcing cybersecurity can be highly economical and beneficial. They can present their unbiased findings of vulnerabilities an other gaps to the board. The expertise and years of experience of these organizations are critical factors. They can set up the infrastructure or audit the existing one through professional services. Or provide their support services including premium care and overall cybersecurity planning. MailSPEC is one such organization which has been trusted by over 17,000 organizations globally.
This SEC ruling, if approved, would be historical. It would change the way investors look at cybersecurity. And would go a long way in strengthening the capabilities of organizations and the board dealing with cybersecurity incidents.
It's not only about protection from cyber attacks but also about dealing with the aftermath of a potentially successful one.
------------------------------------------------------ Cybersecurity is a rapidly growing concern and its impact is bound to rise over the years. With the SEC's new rule, there will be transparency in the capabilities of organizations to tackle such threats.