Company boards are bracing for new SEC cybersecurity regulations

Growing cooperation between corporate boards and chief information security officers has strengthened cyber defense as looming regulations could demand greater accountability, experts tell Axios.

Driving the news: Publicly traded companies have spent the last year bracing for a proposed Securities and Exchange Commission rule that would require private companies to publicly report cyber incidents within four business days and detail companies' policies for responding.

• The rule, proposed last year, would also require an annual report on corporate boards' cybersecurity expertise. The SEC declined to comment on when the final rule is expected to be published.

The big picture: Boards have been grappling with a wave of ransomware attacks, data breaches, and additional cyber and privacy regulations in recent years.

• Those incidents have both forced board members to learn more about their companies' cyber risks and motivated top security officers to figure out how to better communicate with boards.
• Historically, boards have struggled to understand the threat landscape — prompting them to view security as an expendable cost and to use security officials as scapegoats after a major incident.

But that's starting to change: More than three-fourths of board directors say their board has at least one cyber expert, according to a Wall Street Journal survey released last month.

• Many of the largest publicly traded companies now have a former CISO, chief technology officer or government official on their board to help fill in the gaps, Phil Venables, CISO at Google Cloud, tells Axios.

What they're saying: "Cybersecurity is no longer just a back-office issue that is rarely talked about," Friso van der Oord, senior vice president of content at the National Association of Corporate Directors, tells Axios.

• "It can cause catastrophic damage to many organizations, and we've seen the volume of successful cyberattacks rise significantly," he says.

Between the lines: CISOs have gotten better at communicating their teams' priorities and the threat landscape to boards, Bob Maley, chief security officer at Black Kite, tells Axios.

• "Today, the best CISOs may not be the best hackers or the best technical people, but they're the best ones that can translate that technical language into the language of the board," Maley says.
• Whether boards and C-suites will be prepared for increased SEC requirements will depend on the relationship between them and their CISOs, Christopher Gray, vice president at cyber firm Deepwatch, tells Axios.

The intrigue: Unpredictable economic conditions have forced boards to become better acquainted with their cyber risks as they comb through their companies' budgets.

• "People are going to have to figure out what actually works for them, why and what they're going to have to cut," said Peiter "Mudge" Zatko, executive-in-residence at Rapid7 and recent Twitter security whistleblower, during the Verify conference last week.

Yes, but: While relationships have gotten better between boards and CISOs, there are still gaps they'll need to close to meet the SEC's expected demands.

• Smaller public companies that haven't focused on cybersecurity will most likely need to re-evaluate who's on their board to guarantee they have the cyber expertise the SEC will be looking for, Venables says.
• More than two in five IT and security professionals said in a survey released this week by BitDefender that they've been told to keep an ongoing breach quiet, even if it should actually have been disclosed.

Sign up for Axios’ cybersecurity newsletter Codebook here