What to Expect With SEC Cybersecurity Board Disclosure Rules Likely Effective Spring 2023
What Qualified Technical Expert Board Talent Can Expect in Positioning Themselves & Prioritizing Conversations + Opportunities
By: Sherri Douville
With acknowledgement to both Bob Zukis, CEO at Digital Directors Network and Eric Svetcov, CTO/CSO at Medigram for providing their insights as well as historical context for this article.
SEC rules for cybersecurity board disclosures are expected to be finalized this Spring.
SEC disclosure rules get voted on by SEC commissioners, not Congress so we can expect SEC rules to be less impacted by the political process or “what might happen in November.” I’m referring (tongue in cheek) to apparent anarcho libertarian stakeholder drives to block or thwart rules in general.
The current SEC Chair Gary Gensler will be there at least until June 5, 2026 for his 5 year term. A pattern that Bob Zukis has identified is Sarbanes Oxley and what it did for the prominence of representation of the “qualified financial expert” on boards. Bob’s organization, DDN trains CISO’s and CTO’s with a “qualified technology executive” certificate.
Some percentage of legacy board directors may complain that tech experts being brought onto boards don’t seem to totally fit into their perception of yesterday’s board milieu.
Bob Zukis who developed a masterclass through the organization he leads, Digital Directors Network, DDN aims to teach tech execs the nuances of corporate governance and messaging more effectively. So that’s a big part of the solution in his view to that misperception, As Bob mentions “most tech and cyber executives are well ahead of where audit and finance types were in their broader understanding of business strategy and other issues at the time of Sarbanes Oxley being enacted.” Though we (technically competent cybersecurity executives) do have a bias to overcome, which is the reality.”
As an aside, as a CEO I personally think that other common talent challenges like comprehension gaps for the complexity of today’s facts, slow learning, and being over influenced by idealism would all be much worse for board team misalignment than a board candidate’s communication being “too technical.”
But I digress.
You can see a QTE as a technical corollary to the QFE. Coincidentally, SEC Chair Gensler was a one time adviser to Sarbanes of the famed Sarbanes Oxley rules. Bob predicts based on his knowledgeable assessment, that the proposed rule is likely to go live in April. Only 1/5 of today’s SEC commissioners’ term expires in 2023
Unknowns and their impact worth filing away:
- Unanticipated legal challenges to SEC rule-making
- Unexpected challenges to agency authority and impacts on any new SEC rule
What’s Enforcement Got to Do With It?
The 5th U.S. Circuit Court of Appeals ruled on May 18, 2022, that the Securities and Exchange Commission (SEC) — does not have the constitutional authority to adjudicate the enforcement of its own rules. The court’s 2–1 ruling in the case will likely go to the Supreme Court. If the Supreme Court upholds that ruling; there could be a likely challenge to the current constitutional authority the SEC has to adjudicate the enforcement of its own rules which would have the effect of, for example, deregulating the entire financial industry.[1] It’s unclear what the loss of SEC enforcement authority would do to the practical impacts on rules regarding cybersecurity board disclosures. Is it common sense to assume that without showstopping enforcement authority, rules can be reduced to just compliance theatre at best?
What Can You Expect the Rules to Specify?
In my latest cybersecurity lecture for the largest network of Black board executive talent in the country, Black Corporate Board Readiness, BCBR at SCU where I had the honor to co facilitate with corporate board director, Anita Lynch (and whose predecessor session was originally co-designed together with Lucia Savage, Eric Svetcov, and Anthony Lee); we shared from Bob what he predicts to be the focus of the new rule in this slide pictured here:
Who will care about complying with urgency to these new rules?
- Those organizations whose downstream customers require cybersecurity risk management as part of contracting.
- Those organizations with a sincere interest in national security over alliance or cooperation with hostile foreign adversaries.
- Those organizations with shareholder pressures to comply
It’s very important to understand the knowledge and commitment level of the executive team and board. A renowned technologist explains here how to reverse interview for this assessment here.
Order of Predicted Sense of Urgency in General (many exceptions will ensue. For example, a private company meeting customer contracting requirements will flip from least urgency to first place urgency).
- Fortune 50 (with some exceptions, e-commerce, consumer tech, adtech etc)
- Fortune 500
- Tier 1 hospital chains, publicly traded hospital chain companies pressured by contract scope and related flow down terms related to security controls from insurers
- Insurance companies
- Russell 3000 index
- NonProfit hospitals
- NonProfit sector in general (tie for last with private companies). Naiveté and idealism will be a huge challenge here.
- Private companies can be predicted to wake up on the issue close to last UNLESS they have cybersecurity customer contract terms to address. Though the rest of the stakeholder, talent, and investor ecosystem could be rife with knowledge gaps and misalignments.
Wrinkles in a new complexion for widespread board level cybersecurity competence:
Authoritarians of which Americans are psychologically susceptible at the rates of 1/3 can be predicted to bully people with denial of the related complexity; subsequently they would be expected to “hand wave” away what it means to meaningfully address cybersecurity much like what we see with ineffective attempts of tech into the medical market.
Libertarians in all corners will decry any rules, safety or cybersecurity be darned!
The sense of urgency within the healthcare sector specifically will be determined by a combination of stakeholder/shareholder accountability and organizational competencies. On Wednesday, Eric Svetcov posted to Linked in this article about cybersecurity impacts on a recent Tenet healthcare earnings report, something expected to materially impact organizational urgency.
In terms of the healthcare market, we believe that publicly traded healthcare organizations will be first, more mature, and ready to comply with the anticipated forthcoming rules. We predict that they will be faster to adapt to past incidents than hospitals in other types of markets (government, NonProfit etc.)
In this example of the publicly traded hospital chain, Tenet, “In its Q2 earnings report showed that the incident took a financial toll on the organization.
Along with an unfavorable impact of approximately $100 million to adjusted EBITDA (earnings before interest, taxes, depreciation, and amortization), the company’s net operating revenues experienced a decline of 11 percent compared to Q2 2021. The decline was partially attributed to the cyberattack, but also to the sale of Tenet’s Miami-area hospitals in Q2 2021.
“Same-hospital net patient service revenue per adjusted admission decreased 0.2 percent year-over-year for Q2’22 primarily due to the unfavorable impact of the cybersecurity incident, partially offset by improved pricing yield,” the report continued.
Despite these losses, the costs of recovery for Tenet Healthcare were comparable to those of other cyberattacks suffered by large healthcare organizations. For example, Scripps Health incurred approximately $112.7 million in losses after a May 2021 cyberattack disrupted its operations.” [2]
As a consequence, we’d be shocked if the Tenet board is not already preparing to or perhaps may be already fully prepared to comply when this rule will be likely to go into effect in the Spring.
The confusion resulting from the current proposed federal privacy law is completely separate from and unrelated to this SEC proposed rule on cybersecurity board disclosures. From an Advanced Health Technology CEO, CTO or CISO perspective, we don’t even know if the proposed federal privacy law will meaningfully decrease or increase privacy risks to consumers across devices, networking, and data.
We hope this article helps you to project where your organization or industry might be going with this issue of the SEC board cybersecurity disclosure rules and whether they or the ecosystem in which they operate in can be predicted to be an early adopter, laggard, or something in between. Most reputable even non-public healthcare companies are likely to fall somewhere between first and last place actors with a need to increase literacy, competency, and urgency while being under pressure as a highly visible federal critical infrastructure sector member.
While it looks like meaningful change is almost here, it’s a marathon and it pays to be strategically precise in my view as one paces their operating and board careers for long term impact and satisfaction. To do so, you need to be able to predict who is “tire kicking” the issue of cybersecurity and who has both the aptitude and appetite for it. Otherwise, as a gifted technologist, you may find yourself in a time wasting or some other professionally or intellectually undesirable situation.
Lastly, as John Reed Stark (Former Chief, SEC Office of Internet Enforcement) illustrates, there is a libertarian propaganda assault on the SEC playing out today so that’s one wildcard to watch. You must see and accept facts to be prepared for facts.
By Sherri Douville, CEO at Medigram, the Mobile Medicine company. Recognized in 8 categories of top CEOs by Board Room Media (Across SMS, mHealth, iOS, IT, Database, Big Data, Android, Healthcare). Top ranked medical market executive worldwide and #1 ranked in mobile technology categories (mhealth, iOS, Android), #1–2 (on any given day) for the cybersecurity market in the U.S. on Crunchbase. Best selling editor/author, Mobile Medicine: Overcoming People, Culture, and Governance & Advanced Health Technology: Managing Risk While Tackling Barriers to Rapid Acceleration, Taylor & Francis; Series Editor for Trustworthy Technology & Innovation + Trustworthy Technology & Innovation in Healthcare.
[1] “Fifth Circuit — George R. Jarkesy, Jr; Patriot28, LLC vs. Securities and Exchange Commission.”
[2]https://healthitsecurity.com/news/tenet-healthcare-cyberattack-leads-to-100m-in-lost-q2-revenue