New Best Friends: CISOs and Legal Team Up to Address Impending Changes in Cybersecurity Disclosure

Posted on by RSAC Editorial Team

This blog is part of a 10-part series that dives into the RSAC 2023 Submissions Trends pulled from our record number of Call for Speakers submissions in 2023. In this blog, we focus on what CISOs have on their mind.

The role of the CISO continues to expand and gain increasing prominence in the boardroom. Landmark cases, such as the conviction of former Uber CISO, Joe Sullivan, on obstruction charges for failing to disclose a breach, are changing the way that data breaches are handled, what gets reported to the board, and how oversight is conducted.

This theme resonated across several sessions at RSAC this year as panelists discussed how cases like Uber are going to change cyber disclosures required by the board and the role of the CISO in reporting on potential risk and liability in the company. As such, a strong partnership between cybersecurity, legal and risk departments has never been more critical.

Further keeping the CISO up at night are the continued increase in cybersecurity requirements they are required to manage and report on. For example, the Security and Exchange Commission (SEC) is seeking to impose new rules to increase cyber disclosures required by boards which could add significant costs and enforcement risk if adopted.

In the session, Preparing for the New Era of Cybersecurity Disclosure, panelists addressed the role of the CISO in contributing to the evolution of cybersecurity incident reporting. Jamil Farschi, CISO at Equifax, shared how the company took a proactive approach to cybersecurity reporting in the wake of their highly publicized breach in 2017. “We have for the last three years in a row released a Security Annual Report which includes a whole bevy of metrics and data points around the internals of our programs.”

Cybersecurity reporting and disclosure has also caught the attention of investors. Lesley Ritter, Vice President at Moody’s, acknowledged that data breaches and ransomware attacks have direct financial impacts on the cost of capital. “When we think of lending money or investing, we talk to companies about what they are doing on cyber, and we see a big evolution in the amount of disclosures we are getting.”

In the session, Do Better: Board-Level Accountability in Cybersecurity, talk turned to the importance of the CISO’s role as cybersecurity disclosure and oversight evolves. Maggie Wilderotter, CEO of DocuSign, stated, “It’s not whether you get breached or not that matters. It’s the process of how you provide oversight to try to mitigate the risk of cybersecurity attacks.”

Greg Silberman, Associate General Counsel, Zoom Communications added, “Even if you’re not breached, you may be accused of a vulnerability or some other problem with a product, a service, or the platform that’s then going to drag you into regulatory scrutiny or litigation.”

The ease to which CISOs will be able to adapt to changing disclosure requirements required by the board and investors will largely depend on their ability to form positive relationships with internal stakeholders. In the session, CISOs and Legal Uniting in a Post Uber and Twitter World, the panelists discussed the importance of the partnership between the CISO, General Counsel and their respective staffs and how corporate culture has a central role to play in making these relationships succeed.

“What I find interesting about the Uber case in particular isn’t whether is this person or that person to blame, but what was the environment that led someone to do that,” noted Jon Olson, Senior Vice President and General Counsel at Blackbaud. “Was there a lack of transparency in the organization, a fear of retribution, or just poor communication? What caused a human being to make those very bad decisions?”

RSAC Editorial Team

Editorial, RSA Conference

RSAC Insights

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs