By using this site, you agree to the Privacy Policy and Terms of Use.
Accept

Your #1 guide to start a business and grow it the right way…

BuckheadFunds

  • Home
  • Startups
  • Start A Business
    • Business Plans
    • Branding
    • Business Ideas
    • Business Models
    • Fundraising
  • Growing a Business
  • Funding
  • More
    • Tax Preparation
    • Leadership
    • Marketing
Subscribe
Aa
BuckheadFundsBuckheadFunds
  • Startups
  • Start A Business
  • Growing a Business
  • Funding
  • Leadership
  • Marketing
  • Tax Preparation
Search
  • Home
  • Startups
  • Start A Business
    • Business Plans
    • Branding
    • Business Ideas
    • Business Models
    • Fundraising
  • Growing a Business
  • Funding
  • More
    • Tax Preparation
    • Leadership
    • Marketing
Made by ThemeRuby using the Foxiz theme Powered by WordPress
BuckheadFunds > Leadership > The 5 Ways The SEC Failed Investors On Cybersecurity

The 5 Ways The SEC Failed Investors On Cybersecurity

News Room By News Room August 7, 2023 10 Min Read
Share

The SEC recently released their final cybersecurity disclosure rules. While it is a step forward from their admitted ineffective cybersecurity guidance from 2011 and 2018, what they chose to eliminate from the final rules fails investors in several critical ways.

Here are the top 5 things that they left out of the final rules and how these omissions failed investors:

#5 — By allowing insider trading from discovery of the incident until it is determined to be material.

While insider trading during the period from incident discovery to materiality determination was explicitly prohibited in their proposed rules, it did not make the final cut. This now takes on new meaning given management’s discretion in determining incident materiality—which is when it now needs to be disclosed—leaving the period from discovery to management’s determination of materiality open for insider trading. Let the insider trading begin.

#4 — By not requiring boards to explain how they integrate cybersecurity into business strategy, risk management and financial oversight.

The SEC originally proposed that investors would find information useful about how the board understands cybersecurity in the context of strategy, risk and financial oversight useful. However in their final rules they had a change of heart. A troubling change of view when almost 3,000 risk management executives in the 2023 Allianz Risk Barometer ranked cyber incidents as the #1 business risk in 2023. This omission also fails to recognize the boardroom as a control in the organization’s systems of cybersecurity and fails in requiring the boardroom to establish and articulate the cyber-tone-at-the-top of the enterprise, something investors would most definitely find useful.

#3 — By admitting that their prior guidance in 2011 and 2018 was largely ineffective, yet still watering down their 2023 final disclosure rules all while risks and costs rise.

In regard to the final rules, the SEC declared, “First, an ever increasing share of economic activity is dependent upon electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole. Second, there has been a substantial rise in the prevalence of cybersecurity incidents…Third, the costs and adverse consequences of cybersecurity incidents to companies are increasing…”

And with regard to the impact of their 2011 and 2018 interpretive guidance in addressing the need for the new and shiny proposed rules, they said that “current reporting may contain insufficient details, and the staff has observed that such reporting is inconsistent, may not be timely, and can be difficult to locate.”

So why water down or shut the spigot off entirely on some of the very light-weight but high impact proposals that they originally made? Rhetorical question, and moral of the story—don’t look to the SEC for leadership on cybersecurity governance or management. Their policy making significantly lags the reality of market conditions.

#2 — By failing to go beyond disclosure with more explicit rules that reflect the criticality of cybersecurity governance and management and the reality of cybersecurity risk as the top business risk facing companies globally.

Disclosure is a start and brings transparency that can drive analysis and action. But it’s a weaker response than needed after a decade of failure on an issue that moves much faster than that which brings far reaching and compound implications strategically, financially, operationally and legally,

While the SEC acknowledges systemic risk and the rise in cybercrime and its costs, their final actions don’t match their words and the reality of cybersecurity risk as the top risk facing businesses. Our almost 3,000 risk management experts from the Allianz survey would likely agree that more was needed from the SEC. The insurers who are struggling to understand and underwrite cyber risk would also likely agree, as would many investors and consumers who have been the real victims of cybersecurity incidents.

The SEC’s final rules are even more disappointing against the realization that their actions fail to live up to the precedent and standard they established on financial reporting risk in 2002 when they mandated financial experts and audit committees into existence on corporate boards. Improving boardroom leadership over these issues had an immediately positive impact on real levels of financial reporting risk.

In 2002, the SEC proved that they can regulate after the fact when the threat is as serious as the financial reporting crisis was in 2002. But anyone can see the horses after they have left the barn, and the SEC was far too soft on the boardroom’s role as a critical control in the organization’s overall system of cybersecurity. This guarantees that America’s private sector cybersecurity risk profile will remain higher than it could be.

The SEC has proven over the last decade that they cannot regulate cybersecurity effectively. Their final rules are another example of them falling short and failing to think forward on cybersecurity. The reality of cybersecurity risk will unfortunately again prove that their latest attempt is too little, too late as it falls short for investors.

Fortunately, many leading practice boards and management teams don’t wait for the SEC to tell them what to do on cybersecurity risk. They are already adopting policies and procedures that far exceed the SEC’s final and lagging rules. Investor’s should push for the implementation of policies beyond the SEC rules.

#1: By not requiring boards to identify if they have someone in the boardroom who understands cybersecurity risk.

The highest impact, least effort proposal they took off the table in their final rules is their top investor failure. They had proposed a cyber expertise disclosure provision for directors—it did not make the cut. Apparently, informing investors if someone on the board understands any of this cybersecurity stuff was deemed by the SEC not to be an important disclosure item for investors.

Again, in 2002 with regard to financial reporting risk, the SEC thought that having a financial expert in the boardroom was a good thing. The SEC rationalized the cybersecurity expertise omission with the statement, “We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters.”

Of course this statement doesn’t apply to the reality of how the SEC approached the much narrower implications of financial reporting risk. And apparently the SEC believes directors can effectively govern what they don’t understand while also believing that the board doesn’t play an important roles as a part of the overall system of cybersecurity risk management.

The SEC also seems to believe that directors possess some kind of universal and magical risk aptitude that empowers them to understand and govern risk of any nature or type. The insurance industry would love to get their hands on this magical capability and apply it to cybersecurity risk and all the other types of differentiated risk that they work hard to understand and underwrite.

Change, innovation and new technologies very frequently introduce new types of risks that require new domain expertise to understand. The current discussions around AI are a good example as is the growing prevalence of systemic risk within the complex digital business system.

There’s a reason why no one goes to their plumber for dental work. Different risks require different competencies to understand and mitigate.

The SEC gave boardrooms a cybersecurity competency accountability pass with this omission. Until the SEC starts viewing the responsibilities of the board in cybersecurity risk oversight as critically as they do for financial risk oversight, leadership in cybersecurity risk governance will continue to underperform the realities of the market—causing the entire system of cybersecurity risk management to underperform and keeping levels of cybersecurity risk higher than they need to be.

Cybersecurity success starts in the boardroom (except in the eyes of the SEC) and unfortunately cyber failure often does too.

Read the full article here

News Room August 7, 2023 August 7, 2023
Share This Article
Facebook Twitter Copy Link Print
Previous Article What You Need To Know About Electric Vehicle (EV) Tax Credits
Next Article Forbes Asia’s Best Under A Billion 2023
Leave a comment Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Wake up with our popular morning roundup of the day's top startup and business stories

Stay Updated

Get the latest headlines, discounts for the military community, and guides to maximizing your benefits
Subscribe

Top Picks

Trust Is a Business Metric Now. Here’s How to Earn It.
May 9, 2025
Junkluggers Franchise President’s Secrets to Success
May 9, 2025
OpenAI and the FDA Are Holding Talks About Using AI In Drug Evaluation
May 9, 2025
How to Unlock Your Brand’s Potential Through Engaging Content
May 9, 2025
TikTok’s message to advertisers: We’re not going anywhere
May 9, 2025

You Might Also Like

Junkluggers Franchise President’s Secrets to Success

Leadership

Couple’s Small Business Is a Multimillion-Dollar Success

Leadership

Think You Know Body Language? These 6 Myths Say Otherwise

Leadership

You Won’t Outwork AI — But You Can Out-Human It

Leadership

© 2024 BuckheadFunds. All Rights Reserved.

Helpful Links

  • Privacy Policy
  • Terms of use
  • Press Release
  • Advertise
  • Contact

Resources

  • Start A Business
  • Funding
  • Growing a Business
  • Leadership
  • Marketing

Popuplar

5 Ways CEOs Can Assess and Reset Their Company Culture
Couple’s Small Business Is a Multimillion-Dollar Success
Tubi highlights its Gen Z appeal at NewFronts

We provide daily business and startup news, benefits information, and how to grow your small business, follow us now to get the news that matters to you.

Welcome Back!

Sign in to your account

Lost your password?