Photo by Chip Somodevilla/Getty Images
This year is the twentieth anniversary of the U.S. legislation known as The Sarbanes-Oxley Act (SOX). The SEC moved quickly on SOX given the existential threat facing U.S. capital markets from a potential collapse in financial reporting confidence. Among other things, SOX brought significant transformation to the corporate boardroom.
One of the most impactful things it transformed was board composition when it required disclosure of boardroom financial expertise. This had the effect of introducing finance and accounting aptitude onto many, if not most corporate boards for the first time. Remarkable in hindsight is that it was only twenty years ago when it was a novel concept for U.S. public company corporate boards to have a director in the boardroom who understood a financial statement and accounting issues.
The next corporate director competency that the SEC is now transforming is boardroom cyber expertise.
The SEC recently proposed new rules that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. This is currently a relatively rare skillset within the ranks of most corporate boards, not just in the U.S. but worldwide.
While rare, some well-known U.S. companies already understand the value of having deep cybersecurity competencies on their board. Companies such as FedEx, Hasbro, PNC and UPS have transformed their approach to governing cyber risk, starting with boardroom cyber expertise.
Why did these boards get it, while so many others have not? Why are we now at a point where the SEC has to force corporate boards to add this skillset to their director ranks?
I recently interviewed former IBM executive and current U.S. public company corporate director Rodney Adkins on his first-hand experience with the leading edge of transforming digital and cyber risk oversight in the boardroom. I initially asked him about the need for deep and broad digital and cyber directors on boards and he commented, “Boardroom skills need to reflect the patterns of the marketplace.”
With the World Economic Forum estimating that 60% of economic growth is being driven by digital technologies, governing the creation of this value and how it needs to be protected should already be boardroom table stakes. But it isn’t yet. Rod explained the lag in corporate governance over cyber risk this way:
“The trigger for the boards that I’m on came from an unexpected place. It wasn’t the board that was the catalyst for governance reform. It was the management teams coming to the conclusion that they had to get a grip on cyber risk as a risk that was never going to go away. And then it all came together when boards realized their part in the cybersecurity system and the need to more effectively exercise their responsibilities. We sort of woke up together as a result of some of the rising awareness and education on cyber risk we were experiencing. While the natural boardroom instinct to worry about some of these issues was there, it now helps enormously to have directors in the boardroom who have been operators in cybersecurity.”
Corporate governance is a system in and of itself that requires the right director skills, boardroom structure, and scope of risk oversight. With the rapidly changing cyber risk environment that faces every company, cyber risk presents clear and present equity, financial and litigation threats. Risk is heightened in companies that do not have corporate directors who understand these issues. And these issues are squarely in the interests of investors, customers and every corporate stakeholder which makes it an SEC issue.
These issues are significant enough that the SEC is now proposing to require disclosure of boardroom cyber expertise, as they did 20 years ago with financial expertise. I asked Adkins about the challenge of staying on top of both the changing cyber risk landscape and leading cybersecurity practices:
“While I’m on the boards of some large well known public companies, I recently joined the board of a private cybersecurity company NVISIONx exactly for this reason. NVISIONx focuses on systemic cyber risk at the data level. Data is the lifeblood of every digital system, and data that is stolen, held hostage, or even corrupted can introduce downstream risk into operational processes. This helps me stay on the leading edge of these issues and by having someone like me with an operational IT and cyber background, as these topics come up in the boardroom, I can force more of the dialogue on what is really critical, what are the real issues, the exposures, our game plan and do we have the right level of investment and talent. It allows the conversation to be much richer.”
The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by:
The SEC wants deep operational competencies in cybersecurity in the boardroom, as they did with financial expertise. Adding this director competency to U.S. public company boards will strengthen the boardroom as a critical control point in every company’s cybersecurity system. As happened with SOX, regulators around the world will also likely mirror this requirement, creating a global acceleration of cyber board transformation.
“The complexity of this area is partly to blame for why board reform is moving so slowly,” according to Rod Adkins. “This is a very demanding area and most companies now recognize that cyber-threats can cause serious harm. But changing the trajectory is a lot about resources, as this ramps up. You need people who understand this space and have a much deeper working practitioners’ knowledge of these issues.”
Based on Rod’s experience, committee transformation also usually accompanies the addition of these skills into the boardroom. Boardroom transformation over cyber risk doesn’t just stop with having cyber skills in the boardroom. Governance itself is a system that relies upon the right organizing structure for the director’s activities and the right focus on risk. Over 200 boards in the U.S. R3000 now have some form of technology or cybersecurity committee on their board. This organizing principle brings greater task efficiency, focus, and accountability to the committee’s mandates. While many boards still follow the lagging practice of tasking their audit committee with cyber-risk oversight. This is a practice that the SEC’s acting chief accountant has questioned.
While there can often be an unfounded bias that cyber executives are technical specialists, understanding cyber risk requires a strong understanding of where business value is coming from along with how to protect it. Given the significant role that every company’s digital business system has on revenue and profitability, bringing cyber expertise into the boardroom is now corporate governance table stakes. This will not only strengthen the boardroom as a key cyber control over downside risk but also help companies create and drive value from digital transformation.
Cyber governance is an issue of national competitiveness and security and the SEC is now proposing common sense, and easily implementable changes that will force boards to do what they could have done themselves all along—effectively govern one of the most significant risks facing the organization.
Cyber expertise in America’s boardrooms is long overdue.