March 30, 2023

Writing in the February edition of Foreign Affairs CISA Director Jen Easterly called for “a new model” for cybersecurity.  A month later President Biden released a new national strategy for cybersecurity which he said would “realign incentives in favor of long-term investment. When releasing the new strategy acting WH Director for Cybersecurity Kemba Waldon said, “the focus on incentives is the fundamental shift.” in the new strategy. This fundamental shift toward realigning the incentives is a direction many in the private sector, including ISA, have been suggesting for years. The new strategy, if implemented, would open the door for the essential collaborative public private partnership and a more effective collective defense for cybersecurity.

Unfortunately, all expectations are that the Securities and Exchange Commission (SEC) will not be joining the party, and instead will be doubling down the antiquated blame the victim approach to cybersecurity when it releases its new cybersecurity rules next month. The SEC’s laudable goal is to protect investors by engaging the corporate governance structure -the boards of directors – more directly in cybersecurity.  However, their proposed mechanism – still another list of reporting requirements backed by vague and ominous threats. This is the old model that, as we have detailed repeatedly in this space (IS REGULATION THE ANSWER TO OUR CYBERSECURITY PROBLEM (PART I), THREE QUICK STEPS TO IMPLEMENT THE NATIONAL CYBER STRATEGY (NOT WHAT YOU THINK), WHY CYBER REGULATIONS IN NATIONAL STRATEGY MAY NOT WORK, FIRST DO NO HARM: THE MANTRA FOR NEW CYBER REGULATION) simply doesn’t work.

What we have learned over the past two decades is that the complexity of the cyber threat simply doesn’t lend itself to the 18th century regulatory structures. What investors actually need is corporate boards to follow a process that will enable them to do a sophisticated cyber risk assessment and calibrate mitigation strategies in accord with that assessment in relation to the business plan consumers are looking to invest in.

Fortunately, there is just such a program articulated in the Cyber Risk Oversight Handbook for corporate directors released last week by the National Association of Corporate Directors and the Internet Security Alliance.  No less an authority than CISA Director Jen Easterly, writing in the forward of the handbook states “not only is this handbook chock full of clear and practical suggestions that will enable an organization to create a modern and comprehensive cyber risk program but also, and more important, it works.”                                                                         

Director Easterly’s assessment is not just her expert opinion. Multiple sources have already assessed the NACD-ISA program and found it truly does work. PwC independently assessed the use of this approach and found that organizations that use the methods outlined in these publications end up with larger cybersecurity budgets, better cyber risk management, closer alignment between cybersecurity and overall mission goals, and a better-developed culture of security throughout the organization.      

A study by MIT Sloan (CAMS) conducted in 2022 used a different methodology and found that “organizations following the consensus principles are predicted to have 85% fewer incidents,” and “can significantly improve their cyber resilience without raising costs.”

In contrast, the SEC itself in the NPRM that outlined their proposed new rules, acknowledged that they did not have evidence to support their assumptions that their new (and largely redundant) reporting regime would actually enable investors to better assess cyber risks.           

At least at the strategic level government and industry seem to be finally moving in a more productive direction n cybersecurity.  However, for this vision to translate into actual security improvements the independent agencies, led by the SEC need to get on board and support the new, and proven effective strategy and practice.