Cybersecurity is no longer just an IT issue — it is now a critical part of the environmental, social and governance (ESG) landscape. Much like a natural disaster, a cybersecurity breach can have devastating and far-reaching consequences too significant to ignore. Even the slightest attack can cause reputational damage and financial losses, leading to an erosion in trust among stakeholders and shareholders.
As a result, in today's digital reality, boards of directors cannot afford to gloss over cybersecurity as a complex and abstract issue. In an era where boards are increasingly being held accountable for cybersecurity risks, members must understand the details and technicalities behind cybersecurity measures in place.
Earlier this year, the Securities and Exchange Commission (SEC) proposed new disclosures that public companies would need to make about their corporate boards regarding cybersecurity. And although the regulations wouldn't affect every organization, they present a prime opportunity for all boards and executives to decide how they want their companies to address cybersecurity breaches — and to figure out what role board members serve in the process.
What Are the Proposed SEC Rules?
To encourage boards to be more informed and aware of cyber risks and responses, the SEC has published proposed disclosure requirements that would increase scrutiny of how boards oversee cybersecurity-related activities and decisions. The goal is to help investors evaluate public companies' cybersecurity practices and incident reporting, and to generally increase accountability.
The proposed board-related disclosures companies would need to input within Form 10-K annual reports include the following:
- The name of any board member who has cybersecurity expertise and the nature of the expertise
- The board's level of oversight of cybersecurity risk
- How often the board considers and discusses cybersecurity with relevant experts
- In what ways the board considers cyber risks in relation to the company's business strategy.
The proposed changes came after calls were made for stricter cybersecurity efforts in the wake of the SolarWinds software breach. In one of the most significant breaches in recent years, hackers targeted and accessed sensitive data from 18,000 SolarWinds clients, including Fortune 500 companies and the U.S. government. The attack resulted in SolarWinds investors suing the software company's board of directors, claiming they didn't provide proper oversight of SolarWinds' cybersecurity.
What Are the Consequences?
The risk of cyberattacks grows every day. And yet, many boards of directors lack the experience or knowledge to assess their company's cybersecurity posture adequately. This is a serious problem, as boards oversee management and make decisions that affect the entire company. Without a good understanding of cybersecurity, boards may make decisions that put the company at greater risk, such as not correctly funding cybersecurity measures or failing to implement specific policies that protect sensitive data.
A company that openly discloses that its board lacks cybersecurity expertise, or that cybersecurity isn’t integrated into its business strategy, will likely face an uphill battle courting investors or building a trusted reputation; furthermore, the company could be deemed negligent. Should a major cybersecurity breach occur, the company's board of directors could be held liable in court. Given the high stakes, companies need to prioritize cybersecurity at the highest levels of their organizations.
How Can You Strengthen Your Board?
One way for boards to become more educated about cybersecurity is to consult with experts regularly to stay up to date on the latest threats and vulnerabilities, as well as the best practices for safeguarding against attacks. In addition, boards can also benefit from attending conferences and workshops on cybersecurity, which can provide them with valuable insight into this complex topic.
Another way for boards to become more knowledgeable about cybersecurity is to create a committee dedicated to the issue. This committee can keep abreast of new threats and vulnerabilities, and it can develop and implement policies to mitigate risks. Alternatively, industries may see a new brand of board members take a seat at the table: members with backgrounds and experience in cybersecurity might be onboarded as subject matter experts to specifically address relevant questions and concerns.
How Far Is Too Far?
The proposed rules may be a wake-up call for corporate boards and are widely seen as a step in the right direction, as they would enlighten boards to take cybersecurity strategies more seriously and hold board members accountable for negligent cybersecurity practices.
However, the rules raise more questions about the accountability of boards when it comes to cyber breaches. What constitutes the definition of negligence? Cybersecurity attacks don't occur in isolation, so where do you draw the line in determining the root cause is board negligence? These critical questions must be thoughtfully considered to ensure that the proposed rules effectively protect companies and consumers from cyber threats.
Should We Hold Boards Accountable in Other Areas?
The new SEC disclosure proposals have generated a lot of discussion about the accountability of boards of directors and the future directions the conversation could take. This increased focus could see shareholders and stakeholders looking to boards for more strategic guidance and insight regarding other issues, such as ESG and corporate social responsibility (CSR).
Should boards take a more active role in overseeing sustainability initiatives and ensuring that companies meet their ESG targets? Are they responsible for ensuring that their companies are taking measures to meet CSR goals? Boards may want to ask these questions while evaluating their roles to best prepare themselves for increased responsibility and accountability.
Copyright © 2022, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).