8:45 a.m. - 9:15 a.m. U.S. Privacy Regulatory Landscape
9:15 a.m. - 9:30 a.m. Future Topics and Format
9:30 a.m. Meeting Concludes
The Cybersecurity Peer to Peer meeting provides an informal forum for NACD members who serve as corporate directors to exchange thoughts on cybersecurity trends, challenges, and best practices.
Over a breakfast meeting with thought leaders from NACD sponsor and peer exchange host PwC, attendees touched on current headlines, including the passage of the California Consumer Privacy Act of 2018. Additionally, the group focused on the SEC’s newly published requirements for cybersecurity disclosures.
Please select the Event Summary dropdown arrow below to review a recap of the meeting and to download the attached takeaway document.
During this session, participants discussed current headlines including the passage of the California Consumer Privacy Act of 2018 and dove into a privacy regulatory discussion. We also hosted a robust discussion on the SEC’s newly published requirements for cybersecurity disclosures. Below is an overview of the discussion and attached is a takeaway document.
SEC Cybersecurity Disclosures: In February 2018, the SEC issued Commission Guidance outlining disclosure requirements for material cybersecurity incidents, as well as cyber-specific insider trading restrictions. Successful adherence to the requirements will depend in large part on the company’s own ability to identify and share appropriate information internally among key stakeholders. Programs to address this new requirement will be challenged to establish a common language and shared goals among a group of stakeholders who don’t often interact in the normal course of business.
The group agreed that successful programs will demonstrate the following characteristics: executive sponsorship (i.e., set the tone at the top); a common language for program elements; identified stakeholders that represent a diversity of functions; definition of success supported by measurement criteria common across all reporting functions; and methods, processes, and technologies for collecting, interpreting, monitoring, and distributing information on demand.
The recommendation was that boardsset the expectation that management will implement an enterprise program for reporting on cybersecurity issues. The program should have the mandate of the CEO and be led by somebody with enterprise authority and visibility; use a framework that employs strategic, nontechnical concerns as lenses for aggregating operational, technical, and performance metrics at an aggregate level; be a collaborative effort between security, enterprise risk, IT, and internal audit; be aligned to enterprise risk strategy; allow visibility into all aspects of cyber risk (not just technology) by integrating information from IT/security, risk, audit, HR, supply chain/procurement, marketing/PR, and business operations; and seek ways to automate reporting to allow for currency, accuracy, and availability of information.
U.S. Privacy Regulatory Landscape: The public lacks trust in public and private organizations to securely and compliantly manage their data. This is resulting in increasing regulation restricting the use of data. At the same time, the average Fortune 1000 company could increase its revenues by $2 billion a year if it increased data usability by 10%. Organizations must use data to remain competitive, but also mitigate the increasing risk created by the gap between legal requirements and user expectations and current and trending technology and data use. A solely compliant approach does not appear to protect companies legally or reputationally, nor does it seem to allow them to use data competitively. If individuals do not trust organizations and if the law is challenged to keep up with the technology, the full value and beneficial consequences to individual and organizations will not be fully realized. This leaves this group with the issue of how companies can protect themselves in an uncertain regulatory environment while leveraging data to remain competitive.
The group discussed various company and regulatory trends and thought about these questions for board members to ask:
Do we have the capability to respond to consumer and employee requests under the CCPA?
Do we have the capability to locate all personal data and associate it with a particular individual?
Do we have a strategy to leverage data to increase revenues, decrease costs, and improve our products and services?
How is our privacy function enabling our data strategy in a secure, compliant, and ethical manner?
Are we using personal data in ways in which the laws have not contemplated? If so, how are we managing the risks associated with that use?