SEC cyber disclosure rules: What’s the role of the CIO?

The Securities and Exchange Commission introduced new requirements for disclosing material cybersecurity incidents on Sept. 5, placing pressure on organizations to adopt robust reporting mechanisms. 

The C-suite impact is clear: company leadership must be able to quickly determine whether an incident is material to business operations. A four-business-day clock at that point starts ticking, a window in which publicly-traded companies will be required to disclose the event to SEC.

The change will call CIOs into action, bringing cybersecurity expertise to the fore as the systems and platforms involved often fall under their purview. Executives will need to act as organizational facilitators, quickly connecting disparate stakeholders and functions.

CISOs, whose security role is also emphasized in the SEC rules, frequently report into the office of the CIO, making them a critical part of the compliance process.

The timeframe for reporting will challenge IT and the CIO to gather and communicate information as incident details emerge, said Jeff Pollard, VP and principal analyst at Forrester.

“It’s going to force the technology organization, primarily the cybersecurity organization, to provide answers while they are trying to find answers,” said Pollard. “That is an incredibly uncomfortable place to be because investigations take time.”

To address more rigorous cybersecurity requirements, CIOs can turn to their existing tool set and tech strategy. Having the necessary third-party support is also critical, according to Keyur Ajmera, CIO at iCIMS.

“There’s no one-size-fits-all [strategy,] because any particular security breach or incident will have its own nuance,” Ajmera said. “The key is you should have a number of different tools and capabilities available to you.”

The CIO skill set

The update to the SEC rules come after a years-long push from organizations to recruit CIOs with increased cybersecurity chops. 

The trend is on the rise amid the expectation that CIOs will need to quickly present cybersecurity information to the board, according to Martha Heller, CEO of executive recruitment firm Heller Search Associates.

“Boards care about security more than they have in the past,” Heller said. “For that reason, CEOs are turning to their CIOs and saying: ‘how good are you on security?’ If the answer is ‘not great,’ that could be a time to exit that person and bring in someone new.”

As the rules go into effect, CIOs’ role as good communicators and collaborators will be emphasized, according to Erik Avakian, technical counselor at Info-Tech Research Group.

CIOs should ensure cybersecurity risks are well understood but also be able to bridge the gap between security and the rest of the business, including HR, legal and communications departments. 

“This new requirement is going to require CIOs to be well versed in all of those areas,” said Avakian, who previously served as the CISO for the Commonwealth of Pennsylvania.

In addition to the need for diverse skills, the SEC rules highlight the importance of up-to-date, readily available insights into the IT estate, according to Troy Leach, chief strategy officer at Cloud Security Alliance. 

“One of the most important strategies is to have a clear understanding of the [service level agreement] for each and every third-party cloud service provider,” as well as the levels of support the vendor could provide if data gets compromised, Leach said in an email. 

Amid an ever-evolving cyber risk landscape, organizations should prepare up-to-date contingency plans that include CIOs and security personnel, as well as other executives. 

“Organizations should take tabletop exercises and documentation of their contingency planning more seriously as a result,” Leach said. “The exercises should include a broad group of representatives from legal, public relations and other departments that may not be as well versed in technical matters.”