Whether or not the nature and structure of your organization are such that it’s required to comply with regulations established by the U.S. Securities and Exchange Commission (SEC), anyone interested in good governance would be well served to pay attention to SEC communications associated with modern corporate governance.
Corporate secretaries and other governance professionals around the globe routinely add value by scheduling and following up on regular assessments of their respective organizations’ governance practices and performance. Evaluation processes, statements and questions will vary from one board to another. However, board evaluations will generally assess – among other criteria – performance against best practices, and regulatory and legislative compliance. Your board may benefit by also assessing its operations and practices in the context of standards established within other jurisdictions.
Consider, for example, the Sarbanes-Oxley Act (SOX) of 2002. While this U.S. legislation mandated significant reforms that were specific to U.S. business practices, people in other countries also took notice. “SOX” became part of the vernacular for governance professionals and directors around the globe. It didn’t matter whether you supported a corporate, public or other board; Sarbanes-Oxley served as a wakeup call for improved corporate responsibility – which meant improved governance practices.
What is the SEC OCIE Cybersecurity Sweep?
The SEC’s 2019 cybersecurity sweep may serve as another form of wakeup call for astute boards and governance professionals across borders. Ask yourself how confident you are that your directors, individually and collectively, know enough about cybersecurity.
Does your board have a committee that’s specifically tasked with oversight of the organization’s cybersecurity and data storage practices? Does that committee receive reports on breaches, attempted and successful? Is the board aware of the organization’s employee education and training practices? Is the board satisfied that resources (financial and otherwise) associated with cybersecurity are sufficient? Is the board itself providing effective oversight of your organization’s associated practices, policies and protocols? How routinely does cybersecurity appear on the board’s work plans and agendas, and how would you categorize the level of the board’s discussion of the topic? Does the board composition support the capacity to ask the right questions on this critical topic?
Consider some more questions. How does the board derive whatever confidence it has in the organization’s capacity to minimize and mitigate cyber breaches? Has the board ever conducted a cybersecurity incident simulation exercise? If so, was it a one-off? Do you and the board know whether management has ever conducted such a tabletop exercise? Have such simulations driven any changes in cybersecurity education or practices within your organization?
Has the board recommended that the organization retain external expertise to conduct penetration testing, and reviewed the resulting reports? Has the board required that the organization undertake cybersecurity maturity assessments, and asked questions about internal controls? Does the board know whether management has identified an external source for incident management should the worst occur?
You may want to consider discussing these questions with your board chair. If you support the board of a registered investment adviser or broker-dealer in the U.S., you can add another question to that conversation: How do you think your board and organization would withstand the cybersecurity scrutiny of the SEC’s Office of Compliance Inspections and Examinations (OCIE)?
OCIE Lessons For Board Directors
The OCIE identifies its work as standing on “four pillars: promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy.” It’s the OCIE that conducts the SEC’s National Exam Program, and which announced the SEC’s 2019 Examination Priorities. The OCIE conducted more than 3,150 examinations in its 2018 fiscal year, which represented a 10% increase over the prior year.
Given that the SEC’s Strategic Plan for the fiscal years 2018–2022 specifically references cybersecurity, boards and governance professionals should be unsurprised to learn of the OCIE’s plans for a cybersecurity (cyber) “sweep.” Within the second of the SEC Strategic Plan’s three goals, readers will find acknowledgement of technology-related risks and an observation that “…cybersecurity threats to the complex system that helps the markets function are constant and growing in scale and sophistication.”
When you establish goals, you also identify initiatives to support the accomplishment of each goal. The SEC did just that with its Strategic Plan initiative 2.3. It begins, “Examine strategies to address cyber and other system and infrastructure risks faced by our capital markets and our market participants.”
Those involved with boards impacted by SEC regulations will want to familiarize themselves with the initiative in its entirety. It reads, “Data collection, storage, analysis, availability, and protection are fundamental to our capital markets, the individuals and entities that participate in those markets, and the SEC. The scope and severity of risks that cyber threats present have increased dramatically, and vigilance is required to protect against intrusions and disruptions. Consistent with our legal authority, the SEC will focus on ensuring that the market participants we regulate are actively and effectively engaged in managing cybersecurity risks and that these participants and the public companies we oversee are appropriately informing investors and other market participants of these risks and incidents.”
It’s worth noting that digital assets and cybersecurity represent a full one-third of the six themes identified as the OCIE’s 2019 Examination Priorities. The SEC is also paying attention to its own cybersecurity program, as articulated in relation to another goal, under initiative 3.4.
What This New Initiative Means For Boards
What, then, should governance professionals and their boards make of the SEC’s OCIE cybersecurity sweep? If your board’s recruitment, onboarding and development programs are effective, your directors will already be aware that cyber breaches can have ramifications extending far beyond the organization. There are additional takeaways for all governance professionals, whether or not your board and organization are subject to such risk-based examinations.
The OCIE has committed to the ongoing prioritization of cybersecurity in all five of its examination programs. While an effective board will have its “nose in and fingers out” and recognize distinctions between its role and that of management, an understanding of the OCIE’s priorities may be helpful in considering the types of oversight reports your designated committee and/or the board should receive and discuss. It can also inform the types of cybersecurity discussions in which the board should engage.
For example, information security governance is among the identified Examination Priorities. What policies and procedures does the organization have in place, and have they found their way onto board or committee meeting agendas? In the case of the OCIE cyber sweep, the examination of security governance will extend to policies and procedures as they relate to retail trading information security.
Investment advisers with multiple branch offices will want to be aware of the emphasis on cyber practices associated with not only governance, but also access rights and controls, risk assessment, data loss prevention, training, vendor management and incident response. The OCIE is also interested in network storage devices, and in encouraging organizations to ensure that such devices are properly configured. Again, whether or not your board is subject to SEC regulations, these are topics that could form the basis of a board discussion with your Chief Information Security Officer (CISO).
I’ve tossed more than a few questions your way today. If you’re ready for one more that you and your board should consider, ask yourselves what your shareholders and stakeholders might reasonably expect of the organization from a cybersecurity perspective, and what the board might do to enhance its execution of this critical oversight responsibility.