Since the Securities and Exchange Commission’s cybersecurity disclosure rules went into effect on December 18, 2023, several critical trends are coming to light, according to CISOs and cybersecurity leaders in the HMG community.

According to a recent article by multinational law firm Skadden, Arps, Slate, Meagher and Flom LLP, CISOs are now going to be held responsible for public statements made by their companies, notes Michael Coden, Associate Director of Cybersecurity at MIT Sloan.

“However, the CISO is not typically part of the C-suite or the board. So, I think CISOs are going to have to start getting involved in reviewing any public statements about their organization’s cybersecurity, which is probably something CISOs have not done historically,” said Coden.

“Because the SEC regulations apply to Boards, CISOs also need to ensure that they have access to their company’s board of directors and to raise issues which may affect the Board under the new SEC regulations,” added Coden.

“That may require some gut-wrenching discussions with the C-suite,” said Coden. “They may or may not want the CISO approving public statements and SEC filings. Now that the SEC has shown that it will hold a CISO personally liable for a breach, I recommend CISO’s adopt a more defensive posture, protecting their interests by documenting in writing their cybersecurity recommendations that were implemented, and those that were not implemented,” said Coden.

It’s not just the C-Suite that is going to have to change.  “Boards need to think about giving their CISOs some attention; asking questions about CISO protections like Director’s and Officer’s insurance, liability and indemnification, and getting both CISO and external advisor opinions about the security program and governance,” added Todd Inskeep, Founder and Executive Cybersecurity Advisor at Incovate Solutions.

One of the silver linings of the SEC cybersecurity disclosure rules is that it helps to bring CISO concerns to the board level, said Matthew Rosenquist, CISO at Elipz.io, Inc. “It helps the board to understand the vernacular of risk a little bit better,” said Rosenquist. “It’s also going to force CISOs to communicate in business terms more effectively.”

All in all, the ramifications of the SEC’s cybersecurity disclosure rules provide upside for CISOs, said Rosenquist. “ I think this is good news for everybody,” said Rosenquist. “We’re getting the benefits we need (as CISOs) for more visibility but also for accountability. And that isn’t a bad thing. We’re being brought into the right discussions. And, more importantly, that companies are more properly managing those risks versus just sweeping them under the rug or hiding behind some marketing speak or being radio silent and hoping nobody notices,” he added.

How organizations determine what is a ‘material’ cybersecurity incident and how this is communicated to the SEC is creating friction between different stakeholders. “I’m starting to see the CISOs, the lawyers and the CFOs arguing over who gets to make the materiality decision,” said Inskeep.  While CISOs are used to making quick decisions about regulatory notifications, CFOs are used to making materiality decisions in financial reviews.

One of the biggest challenges that many CISOs face is elevating their role and gaining direct contact with the board, noted Patrick Benoit, Global CISO at Brink’s Inc.

“Approximately 64% of CISOs report to CIOs,” said Benoit. “That is going to be the downfall of CISOs as a whole if we don’t get them out from under CIOs and be at least on the same level as them.”  The participants pointed to the emerging role of Chief Risk Officer or CRO as a better place for CISO reporting. 

Interested in becoming part of the discussion? Join one of HMG Strategy’s regional advisory boards to help shape the content and explore the top issues facing CISOs in their roles today and going forward.