Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Preparing the Board of Directors for the SEC’s Upcoming Cybersecurity Compliance Regulations

In March 2022, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule, the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, that, if adopted, would require companies to disclose their cybersecurity governance capabilities and the role of the board concerning oversight of cyber risk.

In this two-part series, we will cover what the proposed regulation will require from an organization regarding reporting on and preparing for cybersecurity incidents and a detailed plan on how CISOs can prepare their board members for the change.

What is the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure?

The SEC intends for this rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC opened a second 60-day comment period on the proposal in March 2023. So far, the SEC has not issued a final ruling.

If adopted as is, the SEC’s rule would put in place a bevy of new instructions requiring periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.

Additionally, the proposed rules would require registrants to provide updates about previously reported cybersecurity incidents in their periodic reports. Further, the proposed rules would require organizations to present cybersecurity disclosures in Inline eXtensible Business Reporting Language, a common language in which reporting terms can be authoritatively defined.

These changes will require CISOs to prepare their board of directors, so their organization is in compliance when the changes go into effect.

In many cases, a CISO will have their work cut out for them as, until recently, few boards of directors knew much about cybersecurity risks, let alone took an active interest in the topic. That mindset has changed dramatically in recent years. Overall, board members are confident they understand the threat landscape, prioritize cybersecurity appropriately, and have invested enough to keep their organizations safe. Still, in light of rising rates of cyberattacks and differing and sometimes conflicting opinions among CISOs, this optimism may be misplaced.

Bridging the disconnect is vital. CISOs and the wider board need open lines of communication. But often, boards relentlessly focus on the bottom line, and CISOs are mired in technical language. Over time, effective business-first communication gives way to muddled perceptions and misaligned priorities.

At a time when we are more connected and digitally reliant than ever, this board-CISO relationship has never been more important. It has also never been more challenging.

To protect people, instill data security, and ensure continued organizational success, CISOs must communicate effectively with their boards. That means putting threats in perspective, fostering collaboration, and driving accountability. At the same time, board members need to work to understand how cybersecurity risks can affect their organizations’ business goals.

The Board’s Current State of Understanding Cybersecurity

According to the report “Cybersecurity: The 2022 Board Perspective”, 10% of businesses with more than 5,000 employees do not have a dedicated CISO overseeing cyber strategy.

In the same report, the interaction between CISOs and their board appears to be an area for attention and improvement. Just half of board members regularly interact with their CISO; around a third say, they see the CISO only when the latter is presenting to the board. While 73% say these presentations occur regularly, this may not be enough.

Bringing the CISO into the boardroom on a regular basis, and not just for presentations, shows that cybersecurity is a priority of the board. Board priorities have a trickledown effect on the entire organization.

What the SEC Proposal Would Require

The SEC will soon require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

The SEC’s reasoning behind this proposal is quite logical. The Commission believes public company investors and other participants in the capital markets depend on companies’ use of secure and reliable information systems to conduct their businesses.

A significant and increasing amount of the world’s economic activities occur through digital technology and electronic communications, which require them to take place in a secure environment. This change means those working with or investing in public companies must know that the leadership is up to speed on cybersecurity and quickly and properly relays any and all sensitive information regarding a cyberattack.

The SEC will require, where pertinent board oversight and SEC registrants will be required to disclose:

  • Whether the entire board, a specific board member, or a board committee is responsible for the oversight of cyber risks
  • The processes by which the security teams inform the board about cyber risks and the frequency of its discussions on this topic
  • Whether and how the board or specified board committee considers cyber risks as part of its business strategy, risk management, and financial oversight.

The next step is preparing the board for the SEC’s proposal. Please see Part Two for a full list of steps CISOs should undertake.


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More