MailGuard 20 May 2022 11:43:32 AEST 5 MIN READ

Should Corporate Boards Be Required to Disclose the Cybersecurity Expertise of Directors?

 

For years the cybersecurity sector has been calling for businesses to take the threat of cyberattacks more seriously. Yet, we continue to see more and more high-profile breaches, and watch on as the financial and reputational costs of attacks rise. In 2021, data breaches cost companies a record-breaking average of U.S. $4.24 million, so why is it that businesses are so hesitant to make cybersecurity a boardroom issue?   

 

In 2021, Heidrick & Struggles’ annual Board Monitor report revealed that only 8% of boards in the U.S. had cybersecurity expertise of any kind. Last month, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would change this. If introduced, the rules will require public company boards to disclose the cybersecurity expertise of their corporate directors. More specifically, they’re looking to build boards that have a thorough understanding of cyber risk, and how this should be integrated into business strategy and financial oversight.  

 

It’s a progressive step which will help to increase transparency between companies and investors, and a move which Daniel Dobrygowski, Head of Governance and Trust at the World Economic Forum, states is “likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders going forward”.  

 

This isn’t the first time that we’ve seen the SEC have a hand in shaping boardrooms. 2022 marks the 20th anniversary of the Sarbanes-Oxley Act (SOX), which requires corporate boardrooms to disclose financial expertise. Introduced in response to a number of major financial scandals, SOX is widely credited for strengthening investor protection, and lead to institutions across the globe adopting similar legislation. The expectation is that the introduction of cybersecurity regulations and disclosures for boards will do the same.  

 

MailGuard CEO, Craig McDonald, is in support of the move, believing it couldn't come soon enough. However, it left him questioning if others felt the same, so he turned to his LinkedIn network which is primarily made up of professionals in the cybersecurity industry, as well as business owners, to ask their opinion.  

 

Here are the results:  

 

Picture 1

 

  • 70% of people voted for ‘Yes’, 
  • Almost a quarter (24%) of responses were for ‘No’, 
  • And the remaining 5% voted for ‘It’s complex’  

The poll results show that a clear majority are in favour of the SEC’s proposal, and reflect the timeliness of the announcement, as the incidence of cybercrime and its’ devastating consequences for businesses, governments, and individuals around the world, continue to escalate.  

If the SEC introduce the rule, it’s likely other countries will quickly follow suit. So, what can businesses do to ready themselves?  

The National Cyber Security Centre in the U.K. have developed The Cyber Security Toolkit for Boards, to “encourage essential discussions about cyber security to take place between the board and their technical experts”. The Toolkit acknowledges that while board members don’t need to be technical experts themselves, they need to be able to have fluent conversations with those that are.  

Additionally, the World Economic Forum released their insight report on Principles for Board Governance of Cyber Risk last year. The report outlines six key principles to assist board directors in governing cyber risk and developing a cyber resilient organisation, which are shown below.  

Screen Shot 2022-05-16 at 11.51.26 am


Fortify your defences

No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack. 

 For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au.      

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates with the button below.