In an era when digital transformation has fundamentally altered the business landscape, the need for robust cybersecurity measures and close coordination with government partners has never been more critical for industry. To that end, new cybersecurity rules by the U.S. Securities and Exchange Commission call for company boards to take a significantly more active role in managing cybersecurity risks.
Similar provisions are included in the European Union’s Digital Operational Resiliency Act, or DORA, and the U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0. Despite the global momentum behind this new level of cyber governance, many companies still don’t yet know how to prepare their Boards and C-suites for these new rules and expectations.
Headlines around the SEC’s rules have focused on new reporting timelines around “material” cybersecurity breaches. But far less attention has been paid to the requirement that will impact companies even in the absence of a major cyber incident. Starting in December, public companies’ annual reports must disclose their cybersecurity risk strategy and governance, including their board of directors’ role in managing material cyber risks.
Similarly, DORA makes the boards of directors of almost all financial services firms regulated in the EU ultimately responsible for risk management and operational resilience strategy for information communications technology. In practice, this will require boards to take on more ownership overseeing cybersecurity risks, including ensuring compliance with DORA’s technical and policy requirements.
Further adding to the focus on cybersecurity governance, NIST launched its Cybersecurity Framework 2.0 in August 2023, updating the widely adopted voluntary framework first developed in 2014. This update introduced a new, sixth pillar called “govern” that facilitates executive oversight, emphasizing that “cybersecurity is a major source of enterprise risk and a consideration for senior leadership.”
Those who operate in the global security and resilience domain often hear about implementation of these frameworks being treated as the sole responsibility of the company’s chief information security officer (CISO). But rather than thinking about cybersecurity management as the responsibility of a single person or team, we must approach it as a whole-of-business process that is governed across an organization, including at the Board level.
DORA, NIST 2.0 frameworks and the new SEC rules can help speed up this process. However, companies can also develop best practices to better implement board oversight of cybersecurity risk.
First, covered entities must start planning now for the structural and cultural changes these rules and regulations will require—they will take time to implement. When done right, a risk management program will educate and empower company leaders to understand and confidently accept, mitigate or transfer risk.
Second, to promote this strong governance at the C-Suite and board level, companies must educate their leadership on how to take a front seat around cyber strategy and governance. Rather than an insulated organizational function, cyber risk management should be informed by a company’s business strategies, compliance landscape, and risk culture.
Finally, it will be critical for organizations to understand specific roles and responsibilities and to maintain regular lines of communications. In addition to the Board and other company leaders, security, communications, and legal teams should be involved in ongoing conversations around achieving a whole-of-business cyber governance strategy.
Senior leaders in federal agencies should learn from, and embrace, the new cybersecurity risk frameworks and rules, and treat cybersecurity risk management as a whole-of-agency process managed by an agency’s most senior agency officials. Like the private sector, managing cybersecurity risk should not solely be the purview of the CIO or CISO.
Cybersecurity decisions should be driven by mission requirements and senior agency officials should be set up to understand the agency’s cyber risk and empowered to make decisions about risk acceptance, mitigation or transfer of cyber risk.
Cyber risk management at federal agencies driven from the top is becoming more pressing as the U.S. enters an era of near-peer competition with China. In September 2023, in a hacking incident that also impacted Commerce Secretary Gina Raimondo, Chinese hackers breached Microsoft’s email platform earlier and managed to steal tens of thousands of emails from U.S. State Department employees who were mostly working on Indo-Pacific diplomacy issues.
As cyber breaches are affecting sensitive missions at the State Department, it is high time for Secretary of State Antony Blinken to be empowered to understand and manage cybersecurity risks. As noted in the September 2023 Government Accountability Office report, Cybersecurity: State Needs to Expeditiously Implement Risk Management and Other Key Practices, “State hasn’t fully implemented its cybersecurity risk program.” Instead of leaving this implementation to the CIO, State should take a page from the private sector playbook and implement a whole-of-department cybersecurity risk management strategy overseen by Secretary Blinken.
As we navigate an increasingly sophisticated cyber threat environment in an increasingly digital ecosystem, frameworks like DORA, and NIST 2.0 as well as the SEC rules, offer a solid foundation and catalyst for synergizing collaborative action. We should support such harmonization, as it paves the way for a safer, more secure digital future, where organizations can thrive while protecting their critical assets and data.
Kris Lovejoy is cybersecurity expert who works as Global Practice Leader in Security and Resiliency at Kyndryl, a U.S.-based information technology infrastructure services provider.