CISOs Seize the Opportunity to Shape the Conversation on Cybersecurity with SEC’s Proposed Rule

New Requirements Address Cybersecurity Risks to U.S. Securities Markets and Provide CISOs an Opportunity to Advocate for Improved Cybersecurity Governance with the Board of Directors

CISO and the Board of Directors

CISO, The Board, and Cybersecurity

For over a decade, we’ve known that clear communication with the board of directors is essential. But let’s face it, chief information security officers (CISO), have struggled with measuring ROI, and that’s made it tough to show value to the board. Luckily, as the founder of BoardDirector, I get it.

We all know that board members aren’t cybersecurity experts, so we must speak their language. It’s time to ditch the technical jargon and uses business-focused terms they can easily understand. This means breaking down the potential consequences of everyday business decisions, like using specific software in a hybrid work environment or expanding through partnerships, regarding cybersecurity. Consider data breaches and cyber-attacks that could damage the company’s reputation, finances, or legal standing.

So, let’s get down to business and make the board understand the importance of cybersecurity in a language that resonates with them. We must convince them to invest in cybersecurity measures to protect the company’s interests. And guess what? The SEC may soon require companies to disclose their cybersecurity capabilities. That means the board may start looking for cybersecurity experts like us! It’s a fantastic opportunity, my friends. So let’s get out there and show them what we’ve got!

Use a Business-Focused Language that the Board Can Understand
To effectively communicate with the board, CISOs should use language that is easy for the board to understand, avoiding technical jargon.

Explain the Potential Consequences of Everyday Business Decisions Regarding Cybersecurity
CISOs should explain how everyday business decisions, such as using certain software or expanding through partnerships, can impact the company’s cybersecurity posture.

Highlight the Risks of Data Breaches or Cyber-attacks
CISOs should communicate the potential risks of data breaches or cyber-attacks, which can harm the company’s reputation, finances, or legal standing.

Avoid Using Technical Jargon and Explain Complex Terms in Simple Language
CISOs should avoid using technical jargon and explain complex terms in simple language to make cybersecurity concepts more accessible to the board.

Use Analogies to Make Complex Ideas More Accessible to the Board
Analogies can help CISOs make complex cybersecurity concepts more accessible to the board and illustrate potential risks.

Provide Context for Cybersecurity Risks in the Larger Business Landscape
CISOs should provide context for cybersecurity risks in the larger business landscape to help the board understand the significance of investing in cybersecurity measures.

Communicate the Importance of Cybersecurity as a Means of Protecting the Company’s Interests
CISOs should communicate the importance of cybersecurity as a means of protecting the company’s interests, emphasizing that it is an essential business function.

Emphasize the Importance of Investing in Cybersecurity Measures and the Potential ROI
CISOs should communicate the importance of investing in cybersecurity measures and the potential ROI for the company.

Use Clear, Concise, and Engaging Visuals to Illustrate Cybersecurity Concepts
Clear, concise, and engaging visuals can help illustrate cybersecurity concepts and make them more accessible to the board.

Demonstrate the Value of a Secure Board Portal Platform like BoardDirector for Efficient and Secure Communication
CISOs should demonstrate the value of using a secure board portal platform like BoardDirector for efficient and secure communication and illustrate how it can improve the company’s cybersecurity posture

SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets

“I am pleased to support this proposal because, if adopted, it would set standards for Market Entities’ cybersecurity practices,” said SEC Chair Gary Gensler. “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”

“Market Entities increasingly rely on information systems to perform their functions and provide their services and thus are targets for threat actors who may seek to disrupt their functions or gain access to the data stored on the information systems for financial gain. Cybersecurity risk also can be caused by the errors of employees, service providers, or business partners. The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.

The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. The proposal — through new notification requirements applicable to all Market Entities and additional reporting requirements applicable to Market Entities other than certain types of small broker-dealers (collectively, “Covered Entities”) — would improve the Commission’s ability to obtain information about significant cybersecurity incidents affecting these entities. Further, new public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.

The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.”

Board Portal for Security

Let’s discuss the risks of using email for board communication. It’s not secure and leaves sensitive company information vulnerable to hacking, phishing attacks, and data breaches. But with Board Director, you get a board portal that provides a safe and secure environment for sharing confidential information. With multi-factor authentication and encryption features, data is protected at all times. Plus, our software creates an audit trail that lets you monitor who accessed which information, adding an extra layer of security.

But wait, there’s more! Using a board portal like Board Director shows the board that you take cybersecurity seriously. It also helps them work more efficiently by having all relevant information in one place, improving decision-making and collaboration. And with the SEC’s proposed rule, now is the perfect time to make cybersecurity a business enabler.

So what are you waiting for? Contact us today to learn how Board Director can help your company improve its cybersecurity governance capabilities. Trust me; it’s a decision you won’t regret. Thanks for reading, and I’ll catch you on the next one.