"What was considered adequate cybersecurity governance a few years ago likely wouldn’t pass muster today with courts, regulators, clients, other stakeholders, or plaintiffs’ firms. In this week’s blog, my colleague Lenin Lopez offers practical considerations for late-stage private company and public company boards and management teams tasked with cybersecurity-related risk oversight and management. – Priya "
It’s obvious that strong cybersecurity governance should help to reduce a company’s risk of succumbing to a cybersecurity incident or being significantly impacted should one materialize. One major challenge: determining what strong cybersecurity governance looks like.
The good news is that cybersecurity governance has been having a moment. Whether as the subject of new regulatory requirements, disclosure trends, regulatory actions, or litigation brought against companies and/or individual directors and officers, there is enough in the ether to model out what strong cybersecurity governance looks like for public companies, as well as those companies racing toward an IPO.
This article will:
- Highlight notable cybersecurity governance-related developments
- Share characteristics of strong cybersecurity governance
- Provide practical considerations for boards and management teams
Cybersecurity Governance: Notable Developments
As cybersecurity risks have grown more sophisticated, so has cybersecurity governance for those companies looking to keep pace in what has been become a cybersecurity arms race.
So, what does strong cybersecurity governance look like today?
Things have changed since the cyber breach of SolarWinds’ software in 2020. Several notable developments have provided insight into how public companies are structuring their cybersecurity governance, what regulators are focused on, and continuing lessons learned from the fallout from the SolarWinds incident. What follows is a curated selection of some of these developments.
SEC Cybersecurity Disclosure Rules: Trends and Impressions
We previously discussed the Securities and Exchange Commission’s cyber disclosure rules, so I won’t wax poetic about them here, except to provide a reminder that the rules were animated by SEC Chairman Gary Gensler’s desire to see cyber disclosure made in a more “consistent, comparable, and decision-useful way.”
After a review of more disclosures than you could shake a stick at, I can confidently say that Chairman Gensler got his wish. That is, public company cybersecurity-related disclosures covering risk management, strategy, and governance are more consistent and comparable.
The catch—and something that is quite apparent after you read through a few of these new disclosures —is they all generally read the same. So much so that accuracy wouldn’t take a significant hit if you swapped out, for example, Intel’s cybersecurity risk management and governance disclosure for Dave & Buster’s disclosure.
It’s true the SEC emphasized that the new cybersecurity disclosure rules do not require companies to take any particular action in terms of how companies should structure their cybersecurity governance. Nevertheless, there is something to be said for herd behavior and safety in numbers. Put another way, you arguably want to be like the Intels and Dave & Busters of the world when it comes to structuring your cybersecurity governance. Opting for something lesser may draw the attention and ire of regulators, shareholders, customers, and plaintiffs’ attorneys, especially in the case of a major cybersecurity breach.
With the above in mind, below are a few of the notable common elements underlying cybersecurity governance program disclosure.
Board:
- The board has ultimate oversight responsibility over cybersecurity risk.
- The board delegates a committee (e.g., Audit) to assist in those oversight responsibilities.
- That committee periodically reports (e.g., annually) findings and recommendations to the board; more frequently should circumstances require.
- The committee receives information about cybersecurity risks and incidents from management and escalates to the board as appropriate.
Management:
- The cybersecurity program is managed and/or led by a CISO, or individual(s) performing a similar function.
- The CISO, or individual(s) performing a similar function, provides regular updates to the board and/or responsible committee.
- Individuals responsible for information security have extensive experience in the area and/or leverage third-party subject matter experts.
Risk Management/Strategy:
- Cybersecurity risk management is integrated into the broader enterprise risk management program.
- Utilize third parties to provide external threat intelligence and evaluation of incident notifications.
- Maintain procedures for reviewing suspected cybersecurity incidents, monitoring and mitigating cybersecurity risks, as well as escalating issues.
- Maintain cybersecurity-related policies that are regularly reviewed and are the subject of broad-based employee training.
SolarWinds: The Breach that Keeps on Giving
The 2020 breach of SolarWinds’ software has been the subject of regulatory investigations, securities class actions, as well as lawsuits against certain officers and members of the company’s board. As a result, there is a wealth of information available regarding what SolarWinds’ cybersecurity governance looked like at the time of the 2020 breach.
Based on the derivative lawsuit brought against SolarWinds’ directors, the securities class action brought against SolarWinds, and the most recent chapter in the SEC’s claims against SolarWinds and its CISO, we can form a general picture of SolarWinds’ cybersecurity governance leading up to the 2020 breach.
At a high level, there is an indication that the SolarWinds’ board delegated cybersecurity oversight to subcommittees of the board. One of those committees received a general cybersecurity briefing from management in early 2019. Separately, in the close to two years leading up to being notified by management about the 2020 breach, SolarWinds’ board didn’t conduct any meetings or hold discussions regarding cybersecurity. There was also no indication that the board requested to be updated on cybersecurity. Not ideal, but as we previously discussed, the derivative claim brought against the board for a failure to carry out their oversight duties was dismissed.
Fast forward to today and SolarWinds’ cybersecurity governance as described in its most recent annual report is very much in line with the graphic from the prior section. For example, from SolarWinds’ disclosure:
“The Technology and Cybersecurity Committee oversees management’s design, implementation and enforcement of our information technology systems and cybersecurity risk management program. Our Technology and Cybersecurity Committee meets and reports to the full Board at least quarterly.”
“Our Chief Information Security Officer, or CISO, regularly reports to the Technology and Cybersecurity Committee on an at least quarterly basis and leads the Company’s overall cybersecurity function.”
“The Technology and Cybersecurity Committee receives regular reports from our CISO on our cybersecurity risks, including briefings on our cyber risk management program and cybersecurity incidents.”
“Technology and Cybersecurity Committee members also receive regular presentations on cybersecurity topics from our CISO, supported by our internal security staff, as part of the Board’s continuing education on topics that impact public companies.”
While SolarWinds’ board was successful in getting that derivate lawsuit dismissed, it’s clear from the current state of the company’s cybersecurity governance that they were nevertheless inspired to implement a few enhancements. I get it. Times have changed, and I don’t like to press my luck either.
Cybersecurity Incidents: The SEC is Watching
As noted above, the SEC’s new cybersecurity disclosure rules also require that companies disclose material cybersecurity incidents in an SEC filing within four business days of determining that the incident is material. While there has been much discussion and angst around what qualifies as “material” in this context, as well as how and when to make disclosures, it is important to remember that the SEC is focused on how companies are disclosing this information. For the latest on this, see this article from Morrison & Foerster.
The SEC is just as focused on what isn’t being disclosed when it comes to cybersecurity incidents and, in some cases, asking why disclosures haven’t been made. As an example, Tyler Technologies was the subject of a cybersecurity breach earlier this year. It issued a statement and notified impacted clients. However, the company didn’t disclose the cybersecurity incident in an SEC filing. Shortly after Tyler issued its statement, the SEC sent the company an information request effectively asking the company why it hadn’t disclosed the incident through an SEC filing.
The company’s reply reinforces the notion that strong cybersecurity governance is key in being able to timely assess the impact of a cybersecurity incident as well as determining reporting obligations. For a peek into how this company approached assessing the impact/materiality of the cybersecurity incident, here is an excerpt from the reply:
We investigated the Cybersecurity Incident with the help of an external forensic team and other third-party advisors. Consistent with our established processes for such incidents, we also engaged high-level Company executives, including our Chief Legal Officer (“CLO”), Chief Financial Officer (“CFO”), and Chief Information Security Officer (“CISO”). The CLO, CFO, CISO and other leaders immediately began meeting, and met on a daily basis thereafter, to assess the Cybersecurity Incident’s impact on the Company and evaluate the Company’s related legal obligations, including our reporting obligations under the SEC’s Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The chair of the Audit Committee of the Board of Directors and our Chief Executive Officer were, and have remained, routinely briefed on the Cybersecurity Incident and potential risks and legal obligations arising therefrom.
SEC Enforcement Director: 5 Principles to Keep in Mind
Last year, SEC Director of Enforcement Gurbir Grewal outlined five principles that he noted as guiding the work his team was doing to ensure that public companies take their cybersecurity and disclosure obligation seriously. Here they are:
- Companies need to ensure that investors receive timely and accurate required disclosures related to cyber attacks.
- Companies need to have real policies that work in the real world, and then they need to implement them.
- Companies need to regularly review and update all relevant cybersecurity policies. Additionally, companies would be well-served by reviewing the SEC’s enforcement actions and public orders on these topics.
- The right information must be reported up the chain to those making disclosure decisions. If those [up the chain] don’t get the right information, it doesn’t matter how robust your disclosure policies are.
- Zero tolerance for gamesmanship around the disclosure decision. [Can’t be] more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk.
Simply, if a company has systems and processes in place such that it can answer in the positive to each of these principles, it’s likely leaning in the right direction in terms of cybersecurity governance.
Blueprint for Strong Cybersecurity Governance (For Now)
If you are a public company board or management team interested in confirming whether your cybersecurity governance passes the smell test—or a late-stage private company looking to understand what may be expected from you in the way of cybersecurity governance as you plot your path to IPO—below are notable characteristics underlying what should qualify as a strong cybersecurity governance.
Regular Assessment and Evaluation
In discussing cybersecurity-related policies, SEC Director of Enforcement Grewal said, “What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective.” In that spirit, to maintain strong cybersecurity governance, it’s important to regularly assess and evaluate the framework. These evaluations can help to ensure that policies and practices are up to date and that they keep pace with cybersecurity threats. In addition to these reviews, companies would be wise to remain in tune with cybersecurity-related regulatory enforcement and litigation trends.
Clearly Outlined Roles and Responsibilities
Strong cybersecurity governance generally features well-defined processes and procedures, including at the employee, executive, management, and board level. This clarity can help to limit misunderstandings or oversights that could lead to security breaches, as well as ensuring that all aspects of cybersecurity—ranging from incident response, policy enforcement, or making required disclosures and notifications—are managed efficiently.
The example involving Tyler Technologies described above is a good reminder of why having well-defined processes and procedures are important. The alternative is having to contend with the confusion of determining who is responsible in the heat of the moment, delayed decision-making that may potentially lead to more severe impacts, and unproductive finger-pointing. Think living out the equivalent of that Spider-Man pointing meme.
Viewing Cybersecurity Risk Through an Enterprise-Wide Lens
Strong cybersecurity governance will ensure that cybersecurity risk is integrated into the broader business strategy. Put another way, the management and assessment of cybersecurity shouldn’t just be siloed within one organizational function, like information technology. Rather, multiple functions should play a role, including finance, legal, human resources, research and development, and any other functions that can help a company avoid cybersecurity risk blind spots.
By considering cybersecurity risks from different perspectives and in the context of the entire company, companies should be better positioned to appropriately prioritize cybersecurity-related efforts so that they are effective across the entire organization.
A Strong Cybersecurity Culture
Building and maintaining a strong cybersecurity culture is critical in protecting a company from cybersecurity threats and for the successful implementation of a company’s cybersecurity-related policies. A strong cybersecurity culture may best be compared to a culture of compliance, which the SEC has described as “from the top of the organization down, an overall environment that fosters ethical behavior and decision-making.” In this case, it would be from the board level to the employee level, an overall environment where a company shares attitudes and behaviors that help the company protect its data, people, customers, and other stakeholders from cybersecurity threats.
Insurance Coverage Is a Key Discussion Point
Discussing insurance coverage, both cyber and directors and officers (D&O) insurance, is important to consider in the context of a company’s cybersecurity governance. Cyber insurance, for example, can help a company manage costs associated with data breaches, ransomware, or other cybersecurity incidents. As for D&O insurance, major cybersecurity breaches are leading to regulatory inquiries, as well as litigation, that is pulling in directors, officers, and employees. Just ask SolarWinds.
However, the challenge is being able to navigate between the different types of coverage and ensuring that your company isn’t under- or over-insured for its particular risks. A knowledgeable insurance broker can help on this front and may also help to identify opportunities to improve your risk profile in the eyes of underwriters, which ideally improves insurability and pricing.
Bonus points if insurance discussions are also making it up to the board and/or committee levels since doing so should go a long way in terms of establishing that they are actively engaged in their cybersecurity oversight roles.
Cybersecurity Risk Management Is Appropriately Resourced
A common question that companies may have around cybersecurity governance is: How much money and/or other resources should be dedicated to cybersecurity risk management? This may translate into more headcount, budget for third-party consultants, insurance, time allocated to cybersecurity discussions at the management or board levels, as well as investing in new threat detection technologies and training for employees. While the answer will depend largely on each individual company, just having intentional discussions about this at the management and board levels is critical to ensuring that cybersecurity governance remains top of mind and strong and effective.
Parting Thoughts
Cybersecurity governance is ever-changing, perhaps more so than most other aspects of corporate governance, which is why it’s important for companies to regularly pressure-test their own programs. If they don’t, I’m sure regulators, stockholders, customers, and the plaintiffs’ bar won’t be shy in pointing out cybersecurity governance shortfalls after the fact. Working upfront can help avoid some of those headaches and should even translate into more favorable pricing in terms of insurance coverage, both from a D&O and cyber perspective.
