WASHINGTON, DC – The modern workplace is in a state of flux. With so many changes occurring, it can be challenging to keep up, especially when navigating the complex world of regulatory reporting requirements. In March 2022, the SEC proposed new cybersecurity disclosure rules on incident reporting, risk management, strategy, and governance. Simone Grimes independent board member and Chief Financial Officer at Acadia Insurance, states that If passed, these rules will require enhanced governance disclosures on how the board and management take responsibility for cyber security risks.
“As cybersecurity risks evolve, so does the need for enhanced cybersecurity disclosures,” Simone Grimes says. “It is becoming imperative that corporate directors and officers of publicly traded companies ensure their companies have an effective cybersecurity risk management program. Directors must be aware of critical cybersecurity issues, including how they can prepare for enhanced public disclosures.”
Simone Grimes explains that the board of directors is responsible for the oversight of the company’s cybersecurity program, which includes understanding the cyber risk program, monitoring cyber resilience, allocating sufficient time in each board meeting to review management reporting, and regularly evaluating the adequacy of the cyber risk program.
Simone Grimes says, “The SEC’s proposed rule would require additional governance disclosures, including the board’s oversight of cybersecurity risk, whether oversight of cybersecurity risks is the duty of the entire board, a committee, or specific board members, and a description of the organization’s processes for informing the board about cybersecurity risks.”
Furthermore, Simone Grimes states, “The proposed rule would require a public disclosure about a material cyber event within four business days from the determination that the event was material. In this regard, the board needs to be prepared to make a materiality determination as soon as is reasonably practicable after an incident is discovered.”
According to Simone Grimes, in order to prepare for the possibility of implementation of the proposed rule, the board will need to re-assess how it evaluates cyber risks as part of its overall strategy, the extent to which cybersecurity is embedded in the corporate culture, the allocation of time dedicated to cyber security in each board session, and its ability to react quickly to identified cyber events.
The proposed rule increases the potential financial and reputational consequences of a data breach. As such, Simone Grimes suggests that the board of directors ensure that the company has a comprehensive cybersecurity strategy that addresses risk management, incident response planning, and employee training.
Among the biggest cyber threats facing organizations right now is the expansion in attack surface following the increase in remote workers. “An organization’s attack surface is the sum of the different access points that an unauthorized user can exploit to enter their system or extract data,” Simone Grimes states. “Organizations should be prepared to adapt their cyber risk management program as quickly as changes in the business environment and workforce occur.”
The concept of data protection is not new. However, the widespread use of personal devices, cloud-based applications, and social media is increasingly vital to organizations.
“The easiest way to safeguard company data is to require the use of layered security credentials” Simone Grimes believes. “The use of multifactor authentication creates roadblocks to make it harder for fraudsters to hack the organizations systems, impersonate employees, and access or leak sensitive data.” According to Simone Grimes, it is the board’s responsibility to ensure that cybersecurity is embedded in the organizations corporate culture.
Cyber threats are constantly changing, and cyber security is a moving target. “Cybersecurity is a chess game with an ever-changing board,” remarks Simone Grimes. “It is a high-wire act with a thousand potential missteps and catastrophes. A board of directors and management must both be prepared to protect the company’s assets and quickly disclose any material breach.
On June 28th, 2022, Simone Grimes will lead a panel discussion with fellow CFOs and CISOs on Implementing Cyber Security Frameworks to Protect Finance. For more information on the CFO Summit, please visit its website.
Simone Grimes is an independent board member, Chief Financial officer (CFO), and entrepreneur who has a BSC in Accounting, MS in Finance, and MBA from Cornell University. She has held financial leadership roles across various industries, including financial services, big-four public accounting, tech, and consumer products. Simone Grimes has worked with fortune 100 public company boards of directors to implement robust Cybersecurity Governance programs. Simone Grimes sits on three non-profit boards and is the independent chairman for a corporate board. She is committed to ensuring that the role of corporate board members is value accretive, including their critical role in cybersecurity corporate governance.