Insights
Global regulatory pressures are closing the cybersecurity governance gap
ARTICLE | May 03, 2024
Authored by RSM US LLP
Recent pressure on cybersecurity governance from governments, regulators and independent organizations has increased in intensity, resulting in highly prescriptive requirements mandating not only objective protective measures—the primary purview of management—but also highly subjective, intangible governance standards targeting the fiduciary responsibilities of the board of directors. Meeting the objective requirements is tedious, time-consuming and costly, but the process is straightforward. However, meeting the growing international pressure to comply with subjective, intangible standards related to governance is not.
Bringing the challenge into perspective
These new demands are testing and challenging the ability of boards of directors to govern and of management to deal with cybersecurity. The stakes are high. Failure to meet these requirements may lead to adverse financial outcomes such as loss of market value, inability to access certain markets, and financial penalties, plus potential legal and enforcement actions against management and board members. Below are three examples of where this trend is playing out.
Example 1: Securities and Exchange Commission (SEC) cybersecurity incident disclosure rules
In the U.S., the SEC has taken enforcement action against registrants, alleging that incident disclosures do not match internal processes. In addition, recent SEC rules require registrants to disclose both qualitative and quantitative consequences of material incidents, including impacts on their financial condition and operations.
The materiality test goes beyond financial and operational results to include reputational harm. According to Forbes, early disclosures under this new rule are drawing criticism that registrants are failing to meet these requirements because they are not sufficiently disclosing the qualitative and quantitative impacts on their business.
The SEC, key stakeholders and investors may question how a company can determine materiality without estimating its impact both qualitatively and quantitatively.
Example 2: New York State Department of Financial Services (NYDFS) cyber requirements
The NYDFS recently issued highly prescriptive regulations and minimum requirements for financial services companies licensed to operate in New York. These include annual certification of material compliance by both the CEO and the chief information security officer.
The NYDFS requires the management team to certify that the board of directors is exercising cybersecurity oversight, has a “sufficient understanding” to exercise such oversight, and is allocating “sufficient resources to implement and maintain an effective cybersecurity program.”
Notwithstanding the fact that management is not responsible for governance, and therefore is not in a position to make that certification, boards need to ask themselves how to comply with this requirement. Questions include:
- How will the board develop “sufficient understanding” of cybersecurity and exercise oversight?
- How does the board ration capital for cybersecurity?
The NYDFS may impose financial penalties for noncompliance. Like the SEC, the NYDFS is applying pressure to close the cybersecurity governance gap.
Example 3: Australia’s ‘Governing Through a Cyber Crisis’ guidelines
Another example of regulatory pressure on board governance comes from Australia, which recently issued 62 pages of prescriptive guidance on cybersecurity oversight aimed at boards of directors.
This guidance does not yet have the force of law. However, it suggests that changes are forthcoming to the Australian Privacy Act, which, like the EU General Data Protection Regulation (GDPR), will impose prescriptive requirements and financial penalties for noncompliance.
The latest regulatory requirement affecting cyber governance: NIS2
Perhaps the most powerful regulatory mandate creating pressure to close the cybersecurity governance gap comes from the EU, which recently updated its Network and Information Security Directive (NIS2). Its goal is to achieve a “high common level of cybersecurity” across the EU.
NIS2 is effective in October 2024 and targets critical infrastructure entities that provide essential and important services. It applies to both EU entities and those doing business in the EU. Article 20 of this regulation requires management bodies (i.e., C-suites and boards of directors) of essential and important organizations to:
"… approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements ..."
In addition, C-suites and boards of directors are:
"… required to follow training and … to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."
How will boards of directors and C-suite executives become trained? NIS2 prescribes significant penalties associated with noncompliance.
Similar prescriptive governance provisions can be found in the EU Digital Operational Resilience Act (DORA), which deals with information and communications technology resiliency for financial services entities.
The implication of prescriptive directives from NIS2, DORA, the SEC and others is clear: Boards must amp up their oversight. Governments and regulators are forcing boards of directors and C-suite executives to be trained and educated on cybersecurity along with their employees so that they develop the knowledge and skills to meet their governance duties. The regulatory message is that the failure to do so can lead to insufficient oversight and result in noncompliance penalties and legal risk to officers and directors.
Bringing it together
These evolving and pressing global cybersecurity prescriptive requirements are changing the standards that boards of directors must meet to satisfy their “duty of care” legal obligation. Pressure from governments and regulators is on the rise, particularly as cybersecurity incidents persist and evolving AI implementations introduce new digital risks.
Boards would be well served to start on the road to improve cybersecurity and digital risk governance by taking the following steps:
- Organization: Review and evaluate the efficacy of your organization related to digital risk oversight. Reorganize and revamp management reporting, policies and procedures as necessary.
- Education: Embark on a continuous educational program throughout your organization, starting with the board, to develop the institutional judgment required to evaluate threats to complex digital systems. The ability to govern systems requires knowing how they work.
- Culture: Stress the shared responsibility of digital risk governance throughout the organization.
Digital risk governance is the responsibility of the board of directors and cannot be delegated to the management team. These evolving standards will require substantially more board involvement and an appreciation that there are no “check-the-box” solutions for digital risk oversight.
Let's Talk!
Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Rod Hackman and originally appeared on 2024-05-03.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/global-regulatory-pressures-closing-cybersecurity-governance-gap.html
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Vasquez & Company LLP can assist you, please call +1 213.873.1700.
Subscribe to receive important updates from our Insights and Resources.