Search
SOLUTIONS
SERVICES
CAMPAIGNS
TECHNOLOGY
INSIGHTS
COMPANY
OUR WORK
OUR WORK
CONTACT
CONTACT
ESG and Sustainability

Why the SEC Wants Corporate Boards to Own Cybersecurity

April 26, 2022 | by Rachael Zahn
  1. Home
  2. Blog
  3. Esg And Sustainability
  4. Why the SEC Wants Corporate Boards to Own Cybersecurity
The Securities and Exchange Commission is urging businesses to up their commitment to cybersecurity. Click to learn more.

Corporate cybersecurity is one of the most compelling and urgent business issues of our time. The escalating costs of ransomware attacks, the growing cybersecurity threat to already fragile global supply chains, and the possibility of organized attacks by hostile governments have caused more American CEOs to make cybersecurity a critical business agenda. This is also true of investors, who increasingly look at cybersecurity as a risk. As JP Morgan wrote recently, “While cybersecurity has mainly been viewed as a technology issue, it is now also regarded as a key environmental, social and governance (ESG) concern, falling under the ‘Social’ pillar. ESG frameworks are a tangible means of evaluating corporate behavior; by incorporating cybersecurity, a new dimension is added, giving insight into cyber behaviors and risks which form a critical part of the bigger ESG picture.” 

And cybersecurity is an increasingly high priority for the Securities and Exchange Commission (SEC), too. Under a new SEC proposal, businesses would be required to report: 

  • Which board directors have cybersecurity expertise. 
  • How often the topic of cybersecurity is discussed. 
  • What oversight the board has over cyber matters. 

The proposal elaborates on what the SEC means by a board member having cybersecurity expertise: 

  • “Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner. 
  • Whether the director has obtained a certification or degree in cybersecurity; and 
  • Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.” 

The SEC proposals underscore how important it is for publicly traded firms to take ownership of cybersecurity as an investment risk. But we also see this as an opportunity for companies to build trust with their audiences by being transparent about how they manage cybersecurity.  

Implications of SEC proposals 

As reported in the Wall Street Journal, the SEC proposals, if implemented, will: 

  • Compel chief information securities officers (CISOs) to learn how to clearly communicate cybersecurity issues and policies in nontechnical terms that board directors can understand. 
  • Have an impact on the role of CISO itself. As Shaun Marion, CISO at McDonald’s Corp., said, “It will change how we develop the next generation of CISOs,” relying less on technical knowledge and more on business-risk experience. 
  • Force businesses to examine more closely how much their boards understand cybersecurity.  According to Steven Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business, “I think across boards, globally, there is a lack of understanding as to not just technology, but security in terms of how important it is to an organization, but equally the impact on an organization if there is an IT or a broader security incident.” 

We believe businesses should also take a step back and look at the big picture: the SEC proposals are part of a larger movement toward holding businesses accountable for reporting their cybersecurity practices. And yet, if you visit a typical corporate website, how often do you see businesses discussing how they’re improving themselves with cybersecurity practices like Amazon did in this announcement about developments in its cybersecurity program? 

We see a parallel between cybersecurity and sustainability: the corporate communications mentality is often focused on reporting what needs to be shared to manage risk and to demonstrate compliance. And yet, in both cases, businesses can build stronger trust by discussing cybersecurity practices and innovations.  

To help businesses navigate cybersecurity, Investis Digital recently published Cybersecurity and the C-Suite. This new guide helps senior leaders learn how to take ownership of corporate cybersecurity threats such as ransomware. The report includes actionable advice on how C-level leaders can prepare their companies to fight ransomware attacks, ranging from training employees to choosing the right information technology resources required. Read the full report: Cybersecurity and the C-Suite.     

Contact Investis Digital    

Investis Digital can help your business craft a compelling cybersecurity narrative through our own investor relations communications expertise. And we can make your site more secure, too. The Investis Digital on-demand hosting platform is built from the ground up with security and data protection by design. Our cyber threat prevention system offers complete DDoS protection and malicious traffic analysis and prevention and underpins every website we build. Combined with the atomized modular architecture of the Connect.ID CMS platform, we can deploy beautifully designed and highly performant websites with as little as two weeks from ideation to build. Contact us to learn how we can protect you.