Executives in meeting showing cybersecurity rules

How Playing IT “Telephone” Creates a False Sense of Security for Audit Committees

Most top leadership and boards today understand that cybersecurity is a function that must be addressed. Even if some underestimate the degree of risk of a devastating cyber breach, they have other pressures forcing them to act. Many industries and regions must comply with cybersecurity regulatory frameworks such HIPAA, PCI DSS, FedRAMP, GDPR, and others. Investors and customers are also applying pressure, looking for assurances that the organization has a dedication to security before committing significant dollars, corporate trust, and data. In other words, the executive layer must attend to cybersecurity, whether they comprehend the full scale of the risk it is designed to address.

Yet, despite an overall greater awareness of the cybersecurity imperative, it’s clear that these leaders are still avoiding “getting into the cybersecurity weeds” on exactly how their organizations are managing cybersecurity, and indeed, whether their programs are achieving their aims. For example, a recent study indicated that only 40% of CFOs received regular briefings from the IT team, and 37% had never received any briefings. Audit committees designed to review such risks still often get filtered, high-level overviews from CISOs, rather than deep-dive analyses and external assessment findings into their true risk postures.

Our sister company has assessed the security stature of hundreds of companies, and upon presenting lists of active vulnerabilities to the C-level, most are genuinely shocked. They had been told by internal teams that security was well handled. However, most had never been personally immersed in the details, but instead only received high-level, reassuring briefings from CISOs, who themselves have gotten information filtered up the chain of command. This game of “IT telephone” has led to security blind spots and increased corporate risk. With the passing of the new SEC rules on cybersecurity on July 26, 2023, top leadership will need to actively engage if they wish to avoid legal accountability, and—importantly—a potentially catastrophic breach.

How does the information flow get stymied?

Often, security updates filter up from on-the-ground IT staff to security directors, then to the CISO or security leader, and then to the CEO and audit committee. With each passing of the message, details are obscured, concerns muted, and true gaps lost in the communications so that the teams appear efficient and effective. While I am not asserting any malice in this process, it’s fundamentally true that CEOs have a great many concerns; often, they wish to know that cybersecurity—a messy, technical, and difficult to understand discipline—is well in hand, without allotting too much time to the topic. Or, equally common, CISOs simply don’t have a seat at the table. They don’t have regular (or any) access to executive/board meetings or adequate time to present enough detail on the current-state problem. Frequently, hands-on security staff have been urgently communicating concerns about being overworked, staffing gaps, present vulnerabilities, and other concerns behind the scenes, but have little access to those who can affect change or allocate budget. In the end, this game of “IT telephone” only serves to assuage concerns of top leadership while simultaneously increasing risk to the enterprise.

Change in the wind: the SEC and new executive accountability

While many regulatory frameworks have carried with them hefty fines or other penalties for non-compliance, few have held leaders accountable for failure to actually secure the organization at large. Most mandatory frameworks focus on specific security aspects or infrastructure: PCI DSS focuses only on the security of the payments infrastructure; FedRAMP only focuses on the security of cloud infrastructure in government entities; GDPR hones in on individuals’ data privacy and associated data sharing practices; and so on. None truly ensures that the holistic organization is impervious to attack. Leaders have worked to comply with mandatory frameworks to avoid penalties, but a focus on these frameworks exclusively, rather than ensuring controls and configurations are layered in a way to prevent an attack, has left the organization exposed.

While dire predictions have been made for years that CEOs will begin seeing personal legal action for breaches, most direct action against individual executives has been limited to terminations. Two events have occurred this year that signal a sea change in how leaders may be held accountable for overall security:

  • The SEC issued Wells Notices to the CISO and CFO of SolarWinds in June. Wells Notices indicate that these executives may see personal legal action for violations of federal law in connection with the 2020 SolarWinds cyberattack.
  • The SEC issued a final rule a month later that requires public companies to make improved and uniform disclosures about cybersecurity risks, strategies, governance, and incidents (within four business days) by registrants. The rule requires cyber program disclosures annually in 10K forms and states that companies must specify how and the process by which the board oversees risk from cyberthreats, the subcommittees involved in oversight, and whether and how management updates the board and subcommittees.

So, clearly the SEC isn’t messing around. While once CEOs, boards, and audit committees could be satisfied with either high-level, sugar-coated, or even non-existent cybersecurity updates, they no longer have that luxury—they must now include specifics on the details of their cyber strategies and how they personally are involved in oversight in their annual legal filings, indicating their knowledge and consent. While there has been speculation in the media and cybersecurity community that CISOs will be increasingly targeted for legal action because of the SolarWinds example, I would caution CEOs against resting on their laurels. Because the legal filings specifically require companies to spell out how boards and audit committees are informed of programs, it’s hard to imagine how top leadership can claim ignorance. In other words, the industry’s favorite fall guy, the CISO, has far more air cover.

The benefits of the SEC rule: The end of IT telephone

While it may seem daunting to leaders that they have more accountability for cybersecurity, the previous process led to incorrect or even absent information flows to the board and audit committees. Cyber risk is quite real, and we see businesses fail and incur catastrophic damage as the result of breaches daily. Ignorance is not bliss in cyber risk. CISOs and IT teams cannot meet the challenge without adequate staffing, budget, and real-time information on risk often in the form of external assistance. With the new rules in place, top leadership will be accountable for fully understanding the real cyber risk landscape under their helm, addressing these issues with adequate financial support, and providing focus, time, and attention to technical staff to voice concerns, bringing in expertise when needed. This should go a long way to reducing the risk of cyberattacks.

After all, the buck stops at the top—even when it comes to cyber risk.