What Your Board Is Accountable for After the SEC Cybersecurity Disclosure Rules
The Securities and Exchange Commission changed board-level accountability in July 2023. The SEC cybersecurity disclosure board accountability rules created legal obligations that did not exist two years ago. Boards that cannot describe how they oversee cyber risk are now in violation of federal securities law.
This is not an IT problem. It is a board-level legal accountability problem.
What The SEC Cybersecurity Disclosure Board Accountability Rules Require
The SEC’s final rules, effective for fiscal years ending on or after December 15, 2023, created three specific obligations for public companies.
First: Incident Disclosure
When a company determines that a cybersecurity incident is material, it must file a Form 8-K description within four business days. Critically, however, the clock starts when leadership determines the incident is material, not when it discovers the breach. That distinction matters. Organizations must build a materiality determination process, not just an incident response process.
Second: Annual Governance Disclosure
Every annual report must describe how the board of directors oversees cybersecurity risk. Specifically, If a board committee holds that responsibility, the company must name it and explain how that committee receives information about cyber risk. Vague disclosures do not satisfy the requirement. The SEC expects specificity.
Third: Management Role Disclosure
Companies must describe management’s role and expertise in assessing and managing material cybersecurity risks. This creates a direct accountability chain from the leadership team to shareholders.
What The SEC Cybersecurity Disclosure Rules Exposed
These SEC’s cybersecurity disclosure rules did not create the governance problem. They made it visible.
Research from Columbia Law School found that fewer than 15 percent of U.S. public companies disclose having a board member with cybersecurity experience. That number reflects the state of most boards before the rules, and it continues to reflect the state of most boards today.
The same research found that boards without cybersecurity expertise tend to engage in what researchers describe as symbolic oversight. n practice, boards ask whether the organization has a plan, not whether the plan would hold in the scenario they fear. As a result, they rely on the CISO to explain cybersecurity oversight, which creates a conflict where the person being overseen defines the oversight criteria.
The Specific Challenge for Board Members
Board members face a structural problem. Consequently, they are now legally accountable for oversight of a domain where fewer than half of directors rate their understanding as strong enough for effective governance.
The information gap compounds that challenge. Research commissioned by Trend Micro found that 79 percent of CISOs have felt boardroom pressure to downplay the severity of cyber risks. When the board presses for a reassuring briefing, it creates conditions for incomplete disclosure. When the board then signs off on an annual report describing their oversight processes, they have therefore approved a description of a process shaped by filtered information.
Eighty percent of boards only act decisively on cyber risk after a breach occurs. By that point, the SEC’s cybersecurity disclosure rules’ four-day disclosure clock is running.
What Credible Board Governance Looks Like Following SEC Cybersecurity Disclosure Rules
In practice, three practices distinguish boards that govern cyber risk from boards that describe governing it.
Separate the Briefing Channel from the Oversight Function
When the CISO provides the board’s only view of cyber risk, the board cannot evaluate what it is hearing. For that reason, an independent advisory layer, separate from internal security leadership, removes that structural conflict. The board receives an assessment informed by different questions and different incentives.
Reframe the Conversation from Technical to Business Terms
Boards that manage this well do not debate vulnerability scores or patch cycles. Instead, these boards want to know about business continuity risk. Similarly, they ask about legal exposure under current SEC’s cybersecurity disclosure obligations and whether existing practices would survive the scrutiny of a regulatory examination.
Commission Independent Assessments Before Incidents
A vendor-aligned or internally generated review cannot produce the same quality of insight as an independent assessment. Specifically, the questions are different because the incentives are different. An independent advisor has no product to recommend and no internal relationship to protect.
Loading ...
About Citanex
Citanex provides executive-grade cybersecurity advisory, digital forensics, and protective intelligence to leadership teams, family offices, and enterprises that cannot afford to be wrong. That advisory scope is designed for the governance environment created by SEC cybersecurity disclosure board accountability rules, where leadership teams are now directly accountable for what they oversee and how they describe it.
Matthew D. Ferrante, founder of Citanex, served as a US Secret Service Electronic Crimes Agent before building an advisory practice spanning $1 trillion in global assets across 109 countries, including work with the Department of Justice and US critical infrastructure sectors. That background changes the questions a board receives. In particular, a federal investigator does not ask whether a compliance checklist was completed. A federal investigator asks what an adversary would do with the access the current posture provides.
Citanex Seraphim extends that protection to the executive level: AI-driven executive and family cyber protection designed for the individuals whose personal exposure creates organizational risk.
Citanex operates with complete independence from technology vendors. Independence is not a differentiator. It is a prerequisite for credible advisory.
Loading ...
