www.wsj.com
Open in
urlscan Pro
2600:9000:2156:6a00:3:4b0:de80:93a1
Public Scan
URL:
https://www.wsj.com/articles/boards-security-chiefs-face-challenges-over-new-cyber-rules-11650015001
Submission: On April 18 via api from US — Scanned from DE
Submission: On April 18 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form autocomplete="off">
<div id="scrim-from-wrap" class="input-wrap">
<label for="scrim-from">From</label>
<textarea id="scrim-from" readonly="readonly" disabled="disabled" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
</div>
<div id="scrim-to-wrap" class="input-wrap">
<label for="scrim-to">To</label>
<input id="scrim-to" type="text" autocomplete="off" autocorrect="off" autocapitalize="none">
</div>
<div class="input-wrap">
<label for="scrim-message">Message</label>
<textarea id="scrim-message" class="msg" maxlength="500" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
</div>
</form>
Text Content
WSJ.COMBANKRUPTCYCENTRAL BANKINGCYBERSECURITYPRIVATE EQUITYSUSTAINABLE BUSINESSVENTURE CAPITAL SubscribeSign In Search * Home * News * Research * Newsletters * Events SubscribeSign In Search * Home * News * Research * Newsletters * Events This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers visit https://www.djreprints.com. https://www.wsj.com/articles/boards-security-chiefs-face-challenges-over-new-cyber-rules-11650015001 Share * Facebook * Twitter * LinkedIn * Copy Link Pro Cyber Commentary & Analysis BOARDS, SECURITY CHIEFS FACE CHALLENGES OVER NEW CYBER RULES CYBERSECURITY EXECUTIVES TO SEEK WAYS TO MAKE INFORMATION EASY FOR BOARD DIRECTORS TO ASSIMILATE UNDER PROPOSALS FROM THE U.S. SECURITIES AND EXCHANGE COMMISSION, THE AGENCY EXPECTS TO KNOW MORE ABOUT HOW LISTED COMPANIES MANAGE CYBER RISK. Photo: Bloomberg By James Rundle April 15, 2022 5:30 am ET | WSJ Pro Print Text Corporate security chiefs expect a closer relationship with their boards to emerge from recent Securities and Exchange Commission proposals seeking to pry more details from companies about cyberattacks and defense measures. At least one business group worries that the SEC is going too far. Under proposals from the U.S. Securities and Exchange Commission, the agency expects to know more about how listed companies manage cyber risk. Businesses would be required to disclose which board directors have cybersecurity expertise, how often the topic of cybersecurity is discussed and what, if any, oversight the board has over cyber matters. The SEC wants to go further for investment funds and advisers, requiring boards to approve cybersecurity policies. The proposals, now open for public comment, indicate the SEC is getting tougher as pervasive cyberattacks cost victims billions of dollars a year, according to estimates from the Federal Bureau of Investigation. Not everyone is happy with the proposals. The Securities Industry and Financial Markets Association, a lobbying group for asset managers, expressed concern over the breadth of the proposed rules. In a letter sent to the SEC dated April 11, Sifma said that while companies should have processes in place to escalate cyber issues to boards, directors shouldn’t be expected to manage them directly. “We believe the requirement that boards approve policies and procedures and exercise formal oversight is too prescriptive and crosses into the realm of management,” Sifma said. The SEC didn’t immediately respond to a request for comment. But others say they provide much-needed clarity on expectations from watchdogs, as cybersecurity has become a core business risk for companies of all sizes. CYRUS VANCE JR. IS A PARTNER AND GLOBAL CHAIR OF LAW FIRM BAKER MCKENZIE LLP’S CYBERSECURITY PRACTICE. UNTIL THE END OF 2021, MR. VANCE SERVED THREE CONSECUTIVE TERMS AS MANHATTAN DISTRICT ATTORNEY. Photo: John Minchillo/Associated Press “I think it’s a reset, and I think the advantage of this reset is they’re being very clear. They’re telling you what they expect,” said Cyrus Vance Jr., partner and global chair of law firm Baker McKenzie LLP’s cybersecurity practice. In practice, security chiefs say, this means that CISOs and others with cyber responsibilities must learn how to translate cybersecurity data into clear risk information that nontechnical board directors can quickly understand. This may force some companies to rethink the role itself, said Shaun Marion, CISO at fast-food chain McDonald’s Corp. He said that when he landed his first cybersecurity executive position in 2011, he lacked experience interacting with a corporate board and didn’t receive much help. “My first board meeting was sink or swim,” he said. “I wouldn’t say I swam.” The SEC’s call for senior leaders and directors to understand and disclose more about their company’s cybersecurity posture will require a strong relationship between the CISO and the board, he said. “It will change how we develop the next generation of CISOs,” he said, relying less on technical knowledge and more on business-risk experience. Additionally, companies may have to examine the composition of their boards more closely in light of the rules and the heightened threat environment. Steven Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business, said many boards often suffer from a lack of technical knowledge, which can translate to improper management of risks. “I think across boards, globally, there is a lack of understanding as to not just technology, but security in terms of how important it is to an organization, but equally the impact on an organization if there is an IT or a broader security incident,” he said. -------------------------------------------------------------------------------- NEWSLETTER SIGN-UP WSJ PRO CYBERSECURITY Cybersecurity news, analysis and insights from WSJ's global team of reporters and editors. PREVIEW SUBSCRIBE -------------------------------------------------------------------------------- Installing directors with cybersecurity expertise can help the rest of the board grasp these issues, said Baker McKenzie’s Mr. Vance. Until the end of 2021, Mr. Vance served three consecutive terms as Manhattan district attorney. “There is thought that’s going to need to go into who your directors are, and how we are intelligently manning boards that have supervision over cyber risk,” he said. Companies have been adding such expertise to their senior ranks in recent years, although many still lack it, according to research from financial rating agency Moody’s Investors Service. A survey of 1,300 companies published March 31 found that around 56% of financial companies had some cyber expertise on their boards, compared with 49% of nonfinancial businesses, 37% of infrastructure issuers and 36% of public-sector entities. But simply having cyber experts on boards isn’t sufficient to meet the SEC’s new demands, said Chris Hetner, an adviser to the National Association of Corporate Directors who previously served as a cybersecurity adviser to former agency chairs Mary Jo White and Jay Clayton. He has often seen security staff engage with that member alone, using the director as an interpreter for other board members, who then assume that their more technical peer has the situation in hand. “Invariably, what happens is the balance of the board totally checks out,” he said. Instead, Mr. Hetner said, CISOs and other staff will have to find ways to convey the issues they’re facing in language board members are conversant in—business risks, the cost of mitigating them and the resources needed to manage future risks. Mitsubishi UFJ’s Mr. Babb said that generally speaking, enhancements to governance processes within companies are welcome. “Anything that really raises the profile and the risks relating to security up at a board level can only, I believe, promote and enhance security practices,” he said. —Kim S. Nash contributed to this article Write to James Rundle at james.rundle@wsj.com Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8 Appeared in the April 16, 2022, print edition as 'Cyber Rules Test Security Chiefs, Boards.' MUST READS FROM CYBERSECURITY * GOOGLE’S MANDIANT DEAL AIMS TO AUTOMATE MORE CYBERSECURITY SERVICES * POLICE USE OF GOOGLE LOCATION DATA TO FIND ROBBERY SUSPECT RULED UNCONSTITUTIONAL * SENATE PASSES CYBER PACKAGE THAT WOULD REQUIRE FIRMS TO REPORT HACKS * HACKERS TARGET KEY RUSSIAN WEBSITES * UKRAINE CONFLICT SHOWS WARTIME NORMS DON’T EXIST FOR CYBER OPERATIONS Close CYBER CHIEFS MUST MOVE AWAY FROM PRESENTING TECHNICAL INFORMATION TO OUTLINING WHERE THEY NEED RESOURCES IN EASY-TO-UNDERSTAND TERMS, WHEN DEALING WITH BOARD MEMBERS Cybersecurity executives to seek ways to make information easy for board directors to assimilate From To Message SEND An error has occurred, please try again later. Thank you This article has been sent to BACK TO TOP Professional Resources WSJ ConferencesFactivaRisk & Compliance JournalDow Jones Risk & ComplianceDow Jones NewswiresCFO JournalCIO JournalCMOLogistics FacebookTwitterPodcasts Send us your feedback:pronewsletter@dowjones.com Subscriber Agreement & Terms of UsePrivacy NoticeCookie NoticeCopyright PolicyData Policy 2022 Dow Jones & Company, Inc.All Rights Reserved Copyright 2022 Dow Jones & Company, Inc. All Rights Reserved This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.