Understanding the need for effective cybersecurity risk management in today’s digital landscape and the role of the board of directors in cybersecurity risk management compels organizations to transform.
How the board of directors recruited the members continues to change based on constant changes in global compliance, the complexity of cyber attacks, and the sustainable risks organizations face.
How are the Recent SEC, DORA, and NIS2 Reporting Requirements Changing the Board of Directors Agenda?
With new national and global compliance mandates, the composition of the board of directors and its charter, needs to evolve. Board members need to gain knowledge in cybersecurity regarding risks associated with cybersecurity. Additionally, they must also participate in training and development programs, and include colleagues with diverse business and professional backgrounds compared to the existing board members.
Changes in global, federal, and regional compliance regulations from the Securities and Exchange Commission (SEC), the Digital Operational Resilience Act (DORA), and Network and Information Systems Directive 2022 (NIS2) compel organizations to change the makeup of their Board of Directors and their managerial procedures.
- SEC: The SEC requires companies to disclose cybersecurity incidents within four days. Furthermore, they must include their cyber risk management strategy in their annual 8-K instead of the 10-K or 10-Q. Companies must also report the impact of material cybersecurity incidents on their organization.
- The new SEC rules help narrow the scope of the cybersecurity incident process and reporting and add a limited delay for disclosure if the breach poses a risk to National Security.
- The SEC requires organizations to disclose their risk management strategy, including whether they engage with third-party service providers, external assessment teams, consultants, and auditors.
- The SEC also requires full disclosure of the role of the board of directors in overseeing and identifying members of the board committees responsible for cybersecurity threats and risks.
- The SEC requires disclosing any process that defines how the board of directors and the various subcommittees become notified of a cybersecurity threat.
- The SEC ruling went into effect on December 18, 2023.
- DORA: DORA mandates all EU financial institutions to comply with this regulation. This will enhance their ability to prevent, detect, and respond to IT and cybersecurity incidents, reducing the potential impact on business continuity, reputation, and legal liability. The DORA legislation has several focus points, including:
- ICT risk management focus.
- ICT-related incident management and reporting (24h+)
- Red team penetration testing for larger organizations
- Fines for individual members of the management body.
- 3rd party/supply chain risk management.
- Implementing the DORA regulation is specific to the financial services space.
- DORA will go into effect on January 18, 2025.
- NIS2: NIS2 mandates that Member States designate national authorities to oversee cyber crisis management, implement national plans for responding to large-scale cybersecurity incidents and crises, and establish the European Cyber Crisis Liaison Organization Network (EU-CYCLONe) to facilitate coordinated management of major cyber attacks.
- The NIS2 is required for critical infrastructure, operators of essential services (OES), and public companies.
- NIS2 requires all EU member states to adopt a cybersecurity strategy.
- “Member states are required to designate a Computer Security Incident Response Team (CSIRTS). This team handles risk and incident handling and designates a single point of contact for liaison support cross-border collaboration.”
- Digital service providers (DPSs) must comply with the security and notification requirements.
- NIS2 updated its requirements for the security of supply chains and supplier relationships.
- Member states under NIS2 should engage third-party assessment firms to conduct executive risk management assessments of critical supply chains and future 5G networks.
- NIS2 will go into effect on October 17th, 2024.
How Should the Board of Directors Conduct a Litigation Risk Discussion with the CISO?
Most cybersecurity breaches eventually become a litigation risk to the organization. Consequently, organizations could face legal action from their business partners, investors, and customers because of a cyberattack. An organization that cannot comply with a privacy act compliance regulation or demonstrates negligence could be subject to fines. There is also a possibility of the recipient of a cease and desist order for a judiciary court.
These ramifications will continue to become topics the boards of directors will discuss with the organization’s CISO. A significant component of legal issues originates with the board of directors, CEO, and executive leader making business decisions. These decisions include gaining a new company, expanding into a new geography market, or announcing the end-of-life of a popular product or service offering. These decisions either raise the possibility of risk to the organization or lower the risk exposure.
If the organization expands its attack surface and risk profile and increases its need to report its disclosure controls, the CISO becomes very interested in boardroom decisions. Suppose the organization locates applications or data within a hostile country or competes in a new market highly susceptible to cyber attacks, insider threats, and physical security risks. In that case, the CISO needs to develop a protection strategy.
The discussion between the board of directors around the increase in cybersecurity attacks coincides with the rise in legal implications. The ideal scenario would entail the board of directors extending the CISO early access to expand plans. This early access allows the CISO to voice their support or concerns, including the security and risk posture change. Because of this new business decision, the CISO could also provide the board with the initial cost estimates to protect the organization. In that case, the cost would combine human capital resources, the potential increase in premiums for cyber insurance. And also the expected rise in remediation costs if the organization suffers an increase in cyber breaches.
Another concern the CISO will consider is if the new business decision moves the organization into a region that adds additional compliance mandates. These mandates could include DORA or GDPR if the organization is opening new business operations in the EU or CCPA if they are expanding into California.
The decision to move into these two locations would also result in additional legal and compliance notification expenditures. By opening access to the organization’s strategy early, CISOs can leverage their experience to help the board of directors better understand the cost, legal, compliance, and risk in their future business decisions.
By adding periodic risk assessments, risk retention strategies, and the proper business resources, the CISO can leverage these tools and resources to present recommendations to the Board Cybersecurity Committee.
Should Cyber Insurance Become a Management Board of Directors Oversight Responsibility?
It is projected that 2024, there will be a shift towards a core control or framework-based approach to cyber insurance. This transition will allow providers to establish standardized coverage for all cyber threats, ultimately decreasing the risk and liability connected to cyber policies.
Cyber insurers suffered heavy losses in the past few years because of ransomware attacks and business email compromise claims. As a result, they raised premiums significantly in 2021, 2022, and 2023, sometimes by 50% to 100%.
Insurers are now challenging their policy.
The organization’s board of directors should include premium increases in their oversight duties. Cyber insurance has grown in the past three years. Insurers have adapted to additional risks like AI and global conflict. They have added new categories, such as “Acts of War,” to their policies.
Merck, a pharmaceutical company, won a $1.4 billion dispute with Ace American Insurance Company. The insurance company refused to cover damages from a malware attack on 40,000 computers. They claimed it fell under a war exclusion clause because of the Russian Government’s involvement.
However, a New Jersey judge disagreed and ruled in favor of Merck. The judge stated the insurer failed to inform Merck about excluding cyber attacks.
Cyber attacks cost organizations millions of dollars, even with cyber insurance. Governments and private organizations acknowledge the significant impact of cyber threats on national security and the economy. The potential social and political consequences of widespread data breaches influence the development of new cybersecurity regulations. For example, in the United Kingdom, organizations must adhere to the Product Security and Telecommunications Act by April 2024. This act establishes essential security standards for networked products, prohibiting default passwords during shipment.
The management board of directors needs to be involved in deciding which insurance carrier to leverage. If the organization plans to acquire a new company or release a product, this will hurt the insurance premium cost.
How Will Future Acquisitions, Sales of Assets, and Cybersecurity Attacks Against Their Supply Chain Change the Management Board Committee’s Charter?
Cyberattacks affect different parts of any organization. When selling an asset, including inventory, a building, or an entire factory, the coupling and decoupling of these assets creates several vulnerabilities open to hackers to exploit—disconnecting a factory from the operational technology (OT) network and redirecting to the public-facing Internet of Things (IoT) exposed legacy network devices and controls to a host of new attack threats. Attacks against the organization’s supply chain, including smaller firms providing critical components and materials, often become the weakest link. Becoming dependent on a global supply chain without a unified security framework, processes, monitoring, and incident response opens the entire chain to cyber risks.
Poor cybersecurity practices and increased substantial risks from cybersecurity threats are causing more negative attention. Board members are trying to increase cybersecurity alignment with business strategy decisions. Boards want more oversight into the security posture and identified risk. On the whole, they want better and active engagement with the Chief Information Security Officer (CISO), even though they lack the knowledge or expertise. Boards must talk about the risks caused by cybersecurity and make plans to manage them. By having the right conversations, Boards can ensure proper cybersecurity oversight.
Should you need help or advice at the board level, please contact – Cubic Consulting at https://cubic.consulting. Help involves personal training, risk meeting preparation, cybersecurity strategy review, etc.
- What are the Top Cybersecurity Predictions for 2024?
- How Does the Board of Directors Oversight Validate the Organization’s Cybersecurity Strategy?
- How to Hire the Best Cloud Security Consultants for Your Organization
- How is Cyber Essentials Basic/Plus Certification Critical to UK and EU Members?
- Top Red Teaming Mistakes to Avoid with Expert Sharath
- Do SMEs Need a CISO Amid Rising Cyberattacks?