A phalanx of new cybersecurity regulations are marching over the horizon with important implications for board members and senior management. In addition to new incident reporting requirements, executive oversight and engagement are other key areas of regulatory focus, particularly for the Securities and Exchange Commission (SEC).
New Rules, New Responsibilities
The impending Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and new rules from the SEC will stipulate new, standardized protocols for the reporting of cybersecurity incidents, including tight disclosure timelines. The SEC rules also place greater responsibility on public company boards to manage cyber risk. Senior management will be responsible for identifying and mitigating threats, along with implementing cybersecurity policies and procedures. Companies will also need to disclose the level of cybersecurity expertise among their board members.
To meet these new standards, organizations will need to bridge the gap between business and security, educating board members about cybersecurity operations and aligning security and business objectives.
Getting Senior Management On Board
There’s still time before regulations are finalized to prepare your organization and its leadership. Here are some steps you can take now:
- Shore up your documentation: Cybersecurity policies and procedures are likely to undergo extra scrutiny under the new regulations. Ensure that you have these documents in place and that they are up to date and actionable. Pay particular attention to incident response and business contingency plans, which will be critical to complying with new incident reporting rules and demonstrating resiliency against cyberattacks.
- Educate your board: To fulfill oversight requirements, board members will need to become fluent in cyber risk. While technical expertise is welcome, it’s more essential that board members understand cyber incidents as potential financial and reputational risks to the business, enabling alignment with overarching business objectives. Board members must clearly understand their roles in evaluating risk and implementing security policies. The new disclosure rules will make it readily apparent which companies lack cybersecurity expertise in the boardroom.
- Improve communication: Ensure that your security team is tracking and reporting outcome-driven metrics that your board can understand and act on. Also, seek opportunities to build stronger relationships outside the boardroom by, for instance, including board members in cyber readiness exercises or discussing cybersecurity headlines. These relationships can come in handy when difficult decisions need to be made in the midst of a cyber incident.
Not sure if your board is ready? At MBL Technologies, we live on the cutting edge of cyber governance, risk and compliance. We offer a comprehensive suite of cybersecurity services to ensure you’re prepared, compliant and protected.