Recently the U.S. Securities and Exchange Commission (SEC) created new cybersecurity disclosure rules for public companies. Among other things, the rules require public companies to disclose in their Forms 10-K “management’s role in assessing and managing material risks from cybersecurity threats” and “the board of directors’ oversight of cybersecurity risks.” Thus, the rules emphasize the need for management and boards to understand the cyber environment.

Although the disclosure requirements of the new SEC rules do not apply to private companies, they highlight how essential it is for the management and boards of companies — be it public or private — to understand, assess, and think proactively about cybersecurity.

These days, virtually all companies are vulnerable to cyberthreats because they operate in the digital world, be it through their online and mobile payment systems, cloud storage of information and data, remote work and videoconferencing, or adoption of artificial intelligence. Therefore, cybersecurity is no longer a niche discipline that can be relegated to the IT department. It now requires a company-wide effort, and nontechnical executives and board members must take an active part is cybersecurity management. Consider:

• A recent KPMG survey of 1,325 CEOs found that 77% see information security as a strategic function as well as a potential competitive advantage.
• Risk management and insurance professionals from 23 industry sectors identified cyber incidents as the top global business risk in the 2023 Allianz Risk Barometer.
• According to Gartner, there is a growing concern that CEOs will be held personally liable for cyberattacks on cyber-physical systems (CPS) in incidents that result in loss of life, loss of property, or environmental harm. CPS involves the digital control of physical processes, including in autonomous driving, smart buildings and smart cities, infrastructure, and clinical health applications.

In addition to the importance of protecting the company from cyberattacks to prevent data breaches, operational disruptions, or physical harm, management now needs to consider the company’s relationships with clients, customers, and vendors. In our interconnected world, cybersecurity has become a significant risk factor for the entire supply chain of both goods and services. Thus, many private and public entities now require their vendors to comply with cybersecurity best practices. For example, U.S. Department of Defense contractors that process, store or transmit Controlled Unclassified Information must meet the Defense Federal Acquisition Regulation Supplement (DFAR), that specifies a set of security controls. And it is now a violation of the Federal False Claims Act for government contractors to misrepresent their cybersecurity programs and qualifications. Even if your company does not deal directly with the government, there is a noticeable trickle-down dissemination of these requirements from contractors to subcontractors, and further down the supply chain.

The Cyber Environment Is Ever-Evolving

As more of our business processes are moving online, they provide a growing opportunity for cybercrime. This year, the global damage from cyberattacks is estimated to reach $8.5 trillion, rising to $10.5 trillion in 2025. Consider that the global cost of cybercrime was only $3 trillion in 2015, and the steep upward trend becomes obvious.

Arguably the most disconcerting aspect of the increase in cybercrime is how fast it is evolving — new hacking groups, new malware, and new forms of cybercrime are appearing all the time. In this environment, a company’s cybersecurity posture must evolve, too. The security measures from two years ago may no longer be sufficient today.

Yet cybersecurity is also a significant budget item for most companies. It is, therefore, essential that management and directors have sufficient current knowledge to make informed decisions about the company’s cybersecurity program — one that balances the company’s security needs with its strategic goals and financial capabilities.

An Annual Training for Managers and Directors Is an Easy Approach to Learn About the Current State of Cyber

While the importance of cybersecurity continues to grow, it is but one responsibility in the portfolios of managers and directors. An annual training enables busy executives and directors to keep current on today’s cyber environment and be sufficiently informed to set the company’s cybersecurity strategic priorities and risk management.

A good training program should include:

• an overview of the biggest breaches/crimes in the past year
• trends in cybercrime
• the current state of cyber
• a review of developments in cybersecurity tech
• a discussion of best practices with respect to cybersecurity, such as staying on top of patching and critical updates, using a virtual private network (VPN) to access company information in the cloud, and training employees to spot and avoid scams and social engineering
• a review of potential cyberthreats from supply-chain partners
• a discussion of clients’ expectations with respect to their vendors’ cybersecurity programs
• a refresher on incident reporting responsibilities
• an exercise to simulate a threat and a successful cyberattack

Participating in such a training program creates an opportunity for managers and directors to focus on their company’s cybersecurity program in the context of the bigger cyber picture. This approach encourages innovative and strategic thinking about cybersecurity, and often results in identifying new opportunities for increasing security and possible competitive advantages that a strong cybersecurity program may produce.