Deploying software and hoping it’s “safe enough” isn’t a measurable security strategy. It’s certainly not something that’s going to bode well when the time comes to disclose processes and practices for managing cybersecurity risks. The latest Securities and Exchange Commission (SEC) Cyber Rules will “require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
Here’s why I’m optimistic this disclosure requirement begets the transparency and accountability needed to secure our digital future and promote maturity. I also share a critical action that executives can take now to align with the new cyber risk governance rules.
A Brief Introduction to the 2023 SEC Rules on Cybersecurity Risk
The much-anticipated announcement of newly adopted cyber rules arrived from the SEC on July 26, 2023. These rules require public companies to disclose both “material cybersecurity incidents they experience,” as well as material information annually on “cybersecurity risk management, strategy, and governance.”
It’s worth mentioning that an important disclosure is missing from the requirements: disclosing cybersecurity expertise on boards. Regardless of being left out of the final ruling, an understanding of cybersecurity expertise on boards begets success in following the adopted cyber rules.
The impetus for the rulings is as SEC Chair Gary Gensler states: “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.”
Now that the final rules are adopted, there’s much to be done, and many conversations to be had, for us to define and ultimately disclose materiality.
Advice for Defining Materiality and How You Assess Risk
The new rules speak frequently on materiality, but what constitutes materiality? We need clarity amongst ourselves on what impacts our definition of materiality. It’s safe to say that this could provoke a conversation between the general counsel and CISO.
For each organization to define materiality, the following questions must be answered:
What are the risks?
What is the likelihood a given threat will occur?
What are the consequences if it does?
Management and the board need to speak the same language to interpret risk cohesively, and this is one of the main reasons I am optimistic about the impact of the new SEC cyber rules.
How Accountability Can Ultimately Lead to Maturity
For too long it's been innovation running ahead and security playing catch-up, but we can’t sustain that at the current pace of innovation. These rules reveal that understanding how cybersecurity affects the organization is increasingly becoming the role of all board members.
Cybersecurity is a problem for all of us; it’s not just for “the cyber person” on the board. Any board member ought to know what we are talking about when we are talking about cybersecurity (especially as it relates to business risk).
On the other hand, being an expert in a quickly evolving field is difficult. That’s why a sub-committee of the board that focuses on cybersecurity is still recommended as the conversation inevitably gets deeply technical.
We’re being asked to come together to define materiality and disclose risk management practices for the digital age. The reality is, for many companies, the first attempt at this conversation may result in, “Hey, look how bad our practices really are.” If that’s the starting place, at least we know now.
Transparency triggers the walk down the path of accountability, and this path ultimately leads to maturity. For boards getting ready to describe how they manage and oversee cybersecurity risk, the picture of today’s disclosures is not an end.
By defining and disclosing where we are now, we can take realistic steps toward a more mature and secure future. To approach this systematically, it’s helpful to have a unified software security platform with analytics, reporting, and even peer benchmarking to define what “good” looks like.
A Critical Action Executives Can Take to Align with Cyber Risk Governance Rules
Here’s a piece of advice for executives and boards of public companies endeavoring to report material breaches within four days and describe cybersecurity risk strategy, management, and governance.
A secure codebase is like holding a strong hand in a game of cards. Securing your codebase is a matter of developing a strategic, measurable application security program (which is an excellent way to quantify cyber risk management and governance).
Using an intelligent software security platform with robust analytics, you can have reports available on-demand of the real-time status and health of your application security program. I recommend using these reports to establish a baseline, identify areas for improvement, set quantitative goals, and track progress against those goals.
Asking the right questions results in measuring the right things. You can start by asking questions such as: How many flaws do we have? How quickly are we fixing them? Who is shipping the safest/riskiest code? How do we compare against similar organizations in the industry?
For more information and steps to producing secure software, please read Veracode’s DevSecOps Playbook.
Veracode is uniquely positioned to provide solutions that measurably reduce software security risk. Schedule a demo today and let us help you on the journey to more strategic cyber risk governance.