Mary Galligan is a Managing Director and Carey Oven is national managing partner at the Center for Board Effectiveness and chief talent officer at Deloitte LLP. This post is based on their Deloitte memorandum.
Escalating risk, regulatory focus can drive board oversight of governance
An SEC proposal issued in March 2022 to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting has sparked increased discussions about cyber risk in many corporate boardrooms. At many companies, boards are asking questions about what measures they should consider taking that would help to enhance governance and improve risk management, which may also help prepare the company to meet likely new requirements.
Even before the proposal was issued, oversight of cybersecurity risk had become an increasing area of focus for boards. A survey by Deloitte and the Center for Audit Quality of 246 audit committee members published in January 2022 found that two-thirds of participants with oversight responsibility for cybersecurity expected to spend more time on the topic in the coming year. [1] In addition, 62% identified cybersecurity as one of the company’s top risks to focus on in 2022. [2]
If adopted as proposed, the SEC’s new rules would require prompt reporting of material cybersecurity incidents and disclosures in periodic filings focused on:
- Policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
- Corporate directors’ cybersecurity expertise, if any, and the board’s oversight of cybersecurity risk
- Updates about previously reported material cybersecurity incidents
The SEC received nearly 150 comment letters on the proposal and is expected to issue final requirements later in 2022.
Leading up to the proposal, cyber incidents have increased in recent years, both in frequency and magnitude. Cyberthreats have become more complex as threat actors use more sophisticated techniques. At the onset of the pandemic, the cyberattack surface expanded significantly, and risk persists for many companies that are maintaining hybrid work arrangements. Companies face threats related to the theft of information, disruption of functions, ransomware demands, destruction of hardware and software, and corruption of data.
