urlscan.io logo urlscan.io
SecurityTrails logo

www.wsj.com Open in urlscan Pro
2600:9000:2156:6a00:3:4b0:de80:93a1  Public Scan

Back to summary
URL: https://www.wsj.com/articles/boards-security-chiefs-face-challenges-over-new-cyber-rules-11650015001
Submission: On April 18 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form autocomplete="off">
  <div id="scrim-from-wrap" class="input-wrap">
    <label for="scrim-from">From</label>
    <textarea id="scrim-from" readonly="readonly" disabled="disabled" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
  <div id="scrim-to-wrap" class="input-wrap">
    <label for="scrim-to">To</label>
    <input id="scrim-to" type="text" autocomplete="off" autocorrect="off" autocapitalize="none">
  </div>
  <div class="input-wrap">
    <label for="scrim-message">Message</label>
    <textarea id="scrim-message" class="msg" maxlength="500" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
</form>

Text Content

WSJ.COMBANKRUPTCYCENTRAL BANKINGCYBERSECURITYPRIVATE EQUITYSUSTAINABLE
BUSINESSVENTURE CAPITAL

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

This copy is for your personal, non-commercial use only. To order
presentation-ready copies for distribution to your colleagues, clients or
customers visit https://www.djreprints.com.

https://www.wsj.com/articles/boards-security-chiefs-face-challenges-over-new-cyber-rules-11650015001


Share
 * Facebook
 * Twitter
 * LinkedIn
 * Copy Link

Pro Cyber Commentary & Analysis


BOARDS, SECURITY CHIEFS FACE CHALLENGES OVER NEW CYBER RULES


CYBERSECURITY EXECUTIVES TO SEEK WAYS TO MAKE INFORMATION EASY FOR BOARD
DIRECTORS TO ASSIMILATE

UNDER PROPOSALS FROM THE U.S. SECURITIES AND EXCHANGE COMMISSION, THE AGENCY
EXPECTS TO KNOW MORE ABOUT HOW LISTED COMPANIES MANAGE CYBER RISK.

Photo: Bloomberg
By
James Rundle
April 15, 2022 5:30 am ET | WSJ Pro

Print

Text


Corporate security chiefs expect a closer relationship with their boards to
emerge from recent Securities and Exchange Commission proposals seeking to pry
more details from companies about cyberattacks and defense measures. At least
one business group worries that the SEC is going too far.

Under proposals from the U.S. Securities and Exchange Commission, the agency
expects to know more about how listed companies manage cyber risk. Businesses
would be required to disclose which board directors have cybersecurity
expertise, how often the topic of cybersecurity is discussed and what, if any,
oversight the board has over cyber matters. The SEC wants to go further for
investment funds and advisers, requiring boards to approve cybersecurity
policies.

The proposals, now open for public comment, indicate the SEC is getting tougher
as pervasive cyberattacks cost victims billions of dollars a year, according to
estimates from the Federal Bureau of Investigation.

Not everyone is happy with the proposals.



The Securities Industry and Financial Markets Association, a lobbying group for
asset managers, expressed concern over the breadth of the proposed rules. In a
letter sent to the SEC dated April 11, Sifma said that while companies should
have processes in place to escalate cyber issues to boards, directors shouldn’t
be expected to manage them directly.

“We believe the requirement that boards approve policies and procedures and
exercise formal oversight is too prescriptive and crosses into the realm of
management,” Sifma said.

The SEC didn’t immediately respond to a request for comment.

But others say they provide much-needed clarity on expectations from watchdogs,
as cybersecurity has become a core business risk for companies of all sizes.

CYRUS VANCE JR. IS A PARTNER AND GLOBAL CHAIR OF LAW FIRM BAKER MCKENZIE LLP’S
CYBERSECURITY PRACTICE. UNTIL THE END OF 2021, MR. VANCE SERVED THREE
CONSECUTIVE TERMS AS MANHATTAN DISTRICT ATTORNEY.

Photo: John Minchillo/Associated Press

“I think it’s a reset, and I think the advantage of this reset is they’re being
very clear. They’re telling you what they expect,” said Cyrus Vance Jr., partner
and global chair of law firm Baker McKenzie LLP’s cybersecurity practice.

In practice, security chiefs say, this means that CISOs and others with cyber
responsibilities must learn how to translate cybersecurity data into clear risk
information that nontechnical board directors can quickly understand.

This may force some companies to rethink the role itself, said Shaun Marion,
CISO at fast-food chain McDonald’s Corp. He said that when he landed his first
cybersecurity executive position in 2011, he lacked experience interacting with
a corporate board and didn’t receive much help. “My first board meeting was sink
or swim,” he said. “I wouldn’t say I swam.”

The SEC’s call for senior leaders and directors to understand and disclose more
about their company’s cybersecurity posture will require a strong relationship
between the CISO and the board, he said.

“It will change how we develop the next generation of CISOs,” he said, relying
less on technical knowledge and more on business-risk experience.

Additionally, companies may have to examine the composition of their boards more
closely in light of the rules and the heightened threat environment. Steven
Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business, said
many boards often suffer from a lack of technical knowledge, which can translate
to improper management of risks.

“I think across boards, globally, there is a lack of understanding as to not
just technology, but security in terms of how important it is to an
organization, but equally the impact on an organization if there is an IT or a
broader security incident,” he said.

--------------------------------------------------------------------------------

NEWSLETTER SIGN-UP

WSJ PRO CYBERSECURITY

Cybersecurity news, analysis and insights from WSJ's global team of reporters
and editors.

PREVIEW
SUBSCRIBE

--------------------------------------------------------------------------------

Installing directors with cybersecurity expertise can help the rest of the board
grasp these issues, said Baker McKenzie’s Mr. Vance. Until the end of 2021, Mr.
Vance served three consecutive terms as Manhattan district attorney.

“There is thought that’s going to need to go into who your directors are, and
how we are intelligently manning boards that have supervision over cyber risk,”
he said.

Companies have been adding such expertise to their senior ranks in recent years,
although many still lack it, according to research from financial rating agency
Moody’s Investors Service. A survey of 1,300 companies published March 31 found
that around 56% of financial companies had some cyber expertise on their boards,
compared with 49% of nonfinancial businesses, 37% of infrastructure issuers and
36% of public-sector entities.

But simply having cyber experts on boards isn’t sufficient to meet the SEC’s new
demands, said Chris Hetner, an adviser to the National Association of Corporate
Directors who previously served as a cybersecurity adviser to former agency
chairs Mary Jo White and Jay Clayton.

He has often seen security staff engage with that member alone, using the
director as an interpreter for other board members, who then assume that their
more technical peer has the situation in hand.

“Invariably, what happens is the balance of the board totally checks out,” he
said. Instead, Mr. Hetner said, CISOs and other staff will have to find ways to
convey the issues they’re facing in language board members are conversant
in—business risks, the cost of mitigating them and the resources needed to
manage future risks.

Mitsubishi UFJ’s Mr. Babb said that generally speaking, enhancements to
governance processes within companies are welcome.

“Anything that really raises the profile and the risks relating to security up
at a board level can only, I believe, promote and enhance security practices,”
he said.

—Kim S. Nash contributed to this article

Write to James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved.
87990cbe856818d5eddac44c7b1cdeb8

Appeared in the April 16, 2022, print edition as 'Cyber Rules Test Security
Chiefs, Boards.'




MUST READS FROM CYBERSECURITY

 * GOOGLE’S MANDIANT DEAL AIMS TO AUTOMATE MORE CYBERSECURITY SERVICES

 * POLICE USE OF GOOGLE LOCATION DATA TO FIND ROBBERY SUSPECT RULED
   UNCONSTITUTIONAL

 * SENATE PASSES CYBER PACKAGE THAT WOULD REQUIRE FIRMS TO REPORT HACKS

 * HACKERS TARGET KEY RUSSIAN WEBSITES

 * UKRAINE CONFLICT SHOWS WARTIME NORMS DON’T EXIST FOR CYBER OPERATIONS



Close


CYBER CHIEFS MUST MOVE AWAY FROM PRESENTING TECHNICAL INFORMATION TO OUTLINING
WHERE THEY NEED RESOURCES IN EASY-TO-UNDERSTAND TERMS, WHEN DEALING WITH BOARD
MEMBERS

Cybersecurity executives to seek ways to make information easy for board
directors to assimilate

From
To
Message

SEND

An error has occurred, please try again later.

Thank you

This article has been sent to



BACK TO TOP
Professional Resources
WSJ ConferencesFactivaRisk & Compliance JournalDow Jones Risk & ComplianceDow
Jones NewswiresCFO JournalCIO JournalCMOLogistics
FacebookTwitterPodcasts
Send us your feedback:pronewsletter@dowjones.com
Subscriber Agreement & Terms of UsePrivacy NoticeCookie NoticeCopyright
PolicyData Policy
2022 Dow Jones & Company, Inc.All Rights Reserved

Copyright 2022 Dow Jones & Company, Inc. All Rights Reserved

This copy is for your personal, non-commercial use only. Distribution and use of
this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints
at 1-800-843-0008 or visit www.djreprints.com.