For years the cybersecurity sector has been calling for businesses to take the threat of cyberattacks more seriously. Yet, we continue to see more and more high-profile breaches, and watch on as the financial and reputational costs of attacks rise. In 2021, data breaches cost companies a record-breaking average of U.S. $4.24 million, so why is it that businesses are so hesitant to make cybersecurity a boardroom issue?
In 2021, Heidrick & Struggles’ annual Board Monitor report revealed that only 8% of boards in the U.S. had cybersecurity expertise of any kind. Last month, the U.S. Securities and Exchange Commission (SEC) proposed new rules that would change this. If introduced, the rules will require public company boards to disclose the cybersecurity expertise of their corporate directors. More specifically, they’re looking to build boards that have a thorough understanding of cyber risk, and how this should be integrated into business strategy and financial oversight.
It’s a progressive step which will help to increase transparency between companies and investors, and a move which Daniel Dobrygowski, Head of Governance and Trust at the World Economic Forum, states is “likely to finally catapult cybersecurity from a back-office function to a core capability of business leaders going forward”.
This isn’t the first time that we’ve seen the SEC have a hand in shaping boardrooms. 2022 marks the 20th anniversary of the Sarbanes-Oxley Act (SOX), which requires corporate boardrooms to disclose financial expertise. Introduced in response to a number of major financial scandals, SOX is widely credited for strengthening investor protection, and lead to institutions across the globe adopting similar legislation. The expectation is that the introduction of cybersecurity regulations and disclosures for boards will do the same.
I think it's a prudent move that can’t happen quick enough, but it left me questioning if others feel the same. Given my network on LinkedIn is primarily made up of professionals in the cybersecurity industry, as well as business owners, I decided to ask their opinion.
Here are the results:
- 70% of people voted for ‘Yes’,
- Almost a quarter (24%) of responses were for ‘No’,
- And the remaining 5% voted for ‘It’s complex’
The results show that a clear majority are in favour of the SEC’s proposal, and reflect the timeliness of the announcement, as the incidence of cybercrime and its’ devastating consequences for businesses, governments, and individuals around the world, continue to escalate.
If the SEC introduce the rule, it’s likely other countries will quickly follow suit. So, what can businesses do to ready themselves?
The National Cyber Security Centre in the U.K. have developed The Cyber Security Toolkit for Boards, to “encourage essential discussions about cyber security to take place between the board and their technical experts”. The Toolkit acknowledges that while board members don’t need to be technical experts themselves, they need to be able to have fluent conversations with those that are.
Additionally, the World Economic Forum released their insight report on Principles for Board Governance of Cyber Risk last year. The report outlines six key principles to assist board directors in governing cyber risk and developing a cyber resilient organisation, which are shown below.
I’m interested to know the thoughts of MailGuard partners. Do you believe boards should be required to disclose the cybersecurity expertise of directors? And if yes, do you have any other suggestions for how boards can prepare?
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.