May 5, 2022

Cybersecurity Oversight: Batten Down the Hatches

On the heels of its March proposal on enhanced cybersecurity disclosure, the SEC announced earlier this week that it is allocating 20 additional positions to its newly renamed “Crypto Assets & Cyber Unit” (formerly known as the “Cyber Unit”).

This group sits in the Division of Enforcement and will grow to 50 dedicated positions with the new allocation – nearly double its current size! In addition to its expanded role of protecting investors in crypto markets, the announcement suggests that the unit will continue to investigate companies for:

Failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents. The Crypto Assets and Cyber Unit will continue to tackle the omnipresent cyber-related threats to the nation’s markets.

To the extent that your company hasn’t already gotten serious about cybersecurity oversight and disclosure, the SEC is sending strong signals that now is the time to do so. This 17-page memo from Tapestry Networks recaps recent discussions among sophisticated audit committee chairs and cyber experts about the steps companies are taking. Here are some takeaways:

– The role of the Chief Information Security Officer is continuing to evolve, and their reporting structure sends a signal. It’s critical for CISOs to feel like they can be candid with the board.

– Directors employ a range of tools to understand companies’ cyber capabilities – maintaining open lines of communication is extremely important in the current heightened risk environment. Dashboards, KPIs, executive sessions with the CISO, and third-party assessments are methods that some boards use to stay informed.

– Boards are assessing how to best provide & structure cyber oversight – many are searching for a unicorn “cyber expert” who also has well-rounded business expertise, and more companies are creating stand-alone technology committees (but it’s still a minority practice). In 2021, 68% of Fortune 100 companies continued to assign primary responsibility for cybersecurity oversight to the audit committee.

See the full write-up for more color on all these points, along with sample cyber-related questions for audit chairs to consider. We’ve posted a number of memos about the board’s role in cybersecurity oversight in our “Cybersecurity” Practice Area.

Liz Dunshee