Episode 4: Keeping Up with the SEC | On Your Radar Podcast

Don: Good morning. Good afternoon. Welcome to On Your Radar. I’m your host for On Your Radar, Don India, and I have the unique pleasure of speaking with industry experts focused on areas of data privacy, compliance, and cybersecurity. Our guest today is a distinguished guest who is an author, partner at PricewaterhouseCoopers, professor, and currently the CEO of the Digital Directors Network and a good friend of mine, Bob Zukis.

Bob, welcome.

Bob: Nice time. Great to be here.

Don: Bob, before we get started on our topic of conversation, which is something you and I know a lot about, we’re also in the infant stages of this topic we’ll discuss. Can you talk to my audience about how you arrived at where you are today? Give us a little bit of history of who you are

Bob: Yeah, Don. My professional background goes back to 1983. So I’m a child of the eighties and, disco. I’m a child of disco, actually, believe it or not. I retired from a 30-year career at PwC, lived and worked all over the world in 2012, and got very active in the governance community, and came to the realization that the boardroom didn’t really understand digital cybersecurity risk, data, privacy issues. And that leadership gap seemed like a really big problem to me. So we found a digital directors network seven years ago to really build the practice of digital and cybersecurity oversight with 1500 members, who’s who of CIOs, CISOs, corporate directors, we’re doing just that.

Don: That’s amazing. Tell us a little bit more about the Digital Director’s Network ‘cause that’s something that I know that is near and dear to your heart.

Bob: Yeah, the insight we had behind DDN was we couldn’t expect the legacy governance community to solve, fundamentally, a problem they didn’t understand. We had to bring the I.T., leadership, the digital leadership, the cyber leadership forward, and the industry forward, and they had to take control of, frankly, the many problems that their innovations have created.

So we’re bringing that community together, and it’s more than just a community. We’re actually building frameworks, methodologies, approaches to really understand these issues and manage them better as well as govern them better as well.

Don: No, that’s fantastic. 1,500 members and growing strong. It sounds like an amazing opportunity for you to continue that education. And really let’s start our conversation because your audience and your Digital Directors Network is living the SEC cybersecurity disclosure rules in its infant state today.

So let me frame our discussion because you and I can talk about this particular topic for hours on end. Let’s frame it about an article that you published about three weeks back in Forbes online. I’d like you to tell our audience what made you go down and write this article and what made you investigate some early findings that you can share with the audience in terms of, our 8-K filings, what is being presented out there and what are the gaps and omissions that we’re seeing? And then we can talk about the why behind that next.

Bob: Yeah, the article has gotten quite a bit of response in the marketplace. Some people agree with it, some people don’t agree with it, but it’s, it’s title is basically around the issue of companies are already not complying with the SEC disclosure rules. Now, whether that compliance is deliberate, or whether that compliance is through a lack of understanding with the complexity of the new rules, and they’re not simplistic rules.

Many of the SEC’s disclosure rules have some considerable vagaries attached to them. And those vagaries are having to be applied to cybersecurity now for the first time. But essentially what one of the core cornerstones of the rules is incidents now have to be disclosed when the issuer, when the company determines them to be material in the eyes of a reasonable investor reported within four days of making that materiality determination.

And it’s actually a triple materiality determination. They’ve got to determine the issue of the incident is material, and then they have to disclose the material aspects of the incident, and the material impacts of the incident. So what happened? Inventory was impaired. Customer demand was impaired. And that’s where the disclosures are falling down.

They’re not disclosing the impacts of the incident. So what’s happening is the companies and it’s from Microsoft to Hewlett Packard, to loanDepot, to VF Corp, the apparel maker VF Corp. So the companies are ringing the alarm bell. But they’re not telling their investors why the bell is ringing.

And so the SEC has already stepped in at least once with the VF Corp and said, look, your impact statements aren’t reflective of what we’re trying to do with the new rules, which is really create a standard way for investors to understand these issues more consistently, more usefully, in terms of how the information system creates value for the business and what it means for their investments.

Don: No, fantastic. It’s an interesting foray when we look at the 8-K early filings and the, I’ll call it glaring omissions, but it’s not so much blaring omissions because they do not want to in terms of the submit the materiality aspects of it. I feel that organizations are having trouble determining what the material aspects of it are.

Can you talk a little bit about that? Because no one wants to omit something from the SEC because they know the downstream negative effects. Walk me through what you think about that.

Bob: Yeah, I don’t think it’s a deliberate omission. I think it’s a lack of understanding of how to apply the SEC’s materiality regime, which has been out there for a long time. It’s not new. It’s just new to the context of cybersecurity, how to apply that materiality concept to the issues of the complex digital business system and how it creates value for the business and then how to tell that story. So what the SEC did is fairly transformational in terms of what the new disclosure rules are all about and what they want companies to tell their investors. And so the SEC put these out there, the new rules and said, okay, have at it. Right.

There’s no operational plan. There’s no implementation plan to it. It’s just go for it. Right. And so we’re seeing, you know, an early attempt to go for it that’s well short of what the SEC wanted it to be. So how will the SEC respond to that? Still to be seen. I don’t think they’re gonna start just throwing the book at companies and their disclosure filings.

And we’ve already seen, you know, that VF Corp comment letter where they said, hey, look, you didn’t tell us about the qualitative impacts of the incident. And the VF Corp followed up the next day with an amended 8-K and disclosed much more detail, much more specificity around the impacts of the incident.

And that’s where they want to take this issue.

Don: So walk me through the difficulties of uncovering materiality and you and I’ve talked about this a little bit. I’ve talked to other peers. I’ve talked to other ecosystems and other businesses that actually have solutions that help derive what materiality means. Why are they struggling to find materiality with respect to a cybersecurity event?

Bob: Yeah, when you say materiality, people’s mindset immediately goes to what’s the quantitative impact of an incident. And the quantitative implications, such as fines, penalties, such as business impairment, such as what we’re gonna have to pay for ransomware, such as did we have a business interruption events, such as what we’re going to have to pay to recover to investigate the incident.

They tend to lag the incident and so, but the SEC wants qualitative implications also understood and described to their investors. So, on one hand, I think people in the marketplace were saying, hey, the SEC didn’t tell us that there’s a 2 percent revenue threshold for materiality.

The SEC won’t do that. That’s not how they want you to figure out materiality because the issuers don’t want to be prescribed a threshold like that because 2 percent might be material for one company might not necessarily be material for another company. But what the SEC wants the issuers to do is to critically think about the impacts of cybersecurity risk and how it impacts all the different value drivers of a company.

So, look at look at United Health. So, let’s say a company has a cybersecurity incident and it impairs their ability to provide health care services in some way, shape or form and someone dies.

So the financial impact of that might be very minute for the organization, but it had a loss of life implication. So that’s what the SEC wants companies to think through. And so what a company say that, hey, our information system went down and caused a health issue, caused a loss of life issue.

Would a reasonable investor think that that implication, that impact is material? Most likely, yeah, because a reasonable investor would want to say, hey, I want to know that your information systems have that kind of an implication. Right? So companies have to think through that with a lot more dimensionality than they ever have before.

It’s not just an easy 2 percent 5 percent of revenue. Like, you know, we accountants tend to apply materiality standards. It’s not at all that.

Don: So, let’s elevate the conversation a little bit and look at organizationally. You have an organization that speaks to 1,500 CISOs who are literally putting out fires, and this is one of the fires they’re putting out simply because the cyber event is their remit of how to manage, detect, resolve, etc. What are you telling your CISOs in your community?

And then second question to follow on that. What other areas of the organization’s construct need to be engaged in not just the definition of materiality from a quantitative perspective, but truly the qualitative as well, because it’s not simply the CISO’s sole responsibility.

Bob: Yeah, and our members are CISOs, CIOs and corporate directors. It’s the early adopters that see this as a problem and want to solve it. But what we’re particularly telling CISOs right now with the new SEC disclosure rules is this is your leadership moment. This is the organization’s going to look to you, who else can they possibly look to to tell the story of how the information system drives business value and how that business value is impaired if you have an incident, and incidents, by the way, under the SEC rules are unauthorized occurrences, malicious attacks, and accidental occurrences.

So we’re sitting here today, today is four days after the McDonald’s outage from Friday. They had a third party outage. It wasn’t a malicious hack, but restaurants from Bangkok to Chicago couldn’t take orders. It was a global impact. It was only out for about 12 hours, but the company couldn’t, certain restaurants couldn’t function.

You know, Shamrock Shake Season, right? People are freaking out because they can’t get their Shamrock Shakes. So they haven’t disclosed that yet. They haven’t put that on an 8-K and said that that was material. It’s certainly not going to be material financially to them because they remediated it very quickly. But are the impacts and the fact that, you know, restaurants couldn’t take orders, a material issue in the eyes of a reasonable investor that they will be, should be disclosing? They haven’t as of yet.

I want my Shamrock Shake to me. It’s material, right?

Don: Well, I’m sitting across from the dyed green river in Chicago, so I know that lack of Shamrock Shakes here was a big deal and it made the news on a consistent basis. So, so yeah.

Bob: So, yeah, sorry to digress. Back to the question. So, this is a leadership moment. They’ve got to step up and they haven’t had to step up before in the context of telling their story against this new SEC, against this SEC regime of materiality.

They’ve got to figure that out and they’ve got to lead that discussion and it’s got to be a cross functional group of executives, disclosure processes in public companies are established already and now we got to get the cybersecurity story bolted onto that. But the, the CISO’s role is being elevated across the C-suite and it’s being elevated in the eyes of the boardroom. So it’s an opportunity, but it’s an opportunity they’ve got to consciously step up to.

Don: One last unpack question on the boardroom. You see a lot of dialogue on elevating the talent pool in the boardroom with respect to cyber conversant individuals on the board. Tell us your opinion on that, and equally how do you educate an existing board in this world of cybersecurity, so there has a layer of intelligence. If you’re not able to appoint new board members that have that level of expertise.

Bob: Yeah, you need both. You have to educate the existing board and you have to get cyber expertise, applied expertise in the room. And you need digital expertise. It’s not just cybersecurity. You need the breadth of the complex digital business system represented. Having that person within the board is in and of itself an educational experience for directors without this background.

And, you know, they bring a technical background, but they bring a well balanced background across the organization there. Their front office executives because they have to understand how the organization creates business value digitally. And then they’ve got to put controls in place to protect that value.

They’re naturally working cross functionally. So they’re much more well rounded than they’re often given credit for, but they’re the ones that have to step up and have to lead this conversation.

And so when we look at this issue at the board level, it’s helpful to also put it in the context, put the board in the context of what truly the board’s function is. The board is a control. It is literally a control in the organization. It’s the first and last point of control for the company. And what we’re talking about strengthening the board is a control with these skills and capabilities. And if you don’t have a high performing board on these issues, you’ve got a control weakness and the system is weak by definition because the leadership control is non existent.

And if there’s one control in the entire system that can impact the entire system materially, it’s the leadership control. So we got a massive leadership gap on this issue, and we’re focused on closing that leadership gap. It’s a leadership crisis on these issues, and that starts at the boardroom.

Don: Tell me more about the education that you’re supplying to your organization because here’s the thought process. If it truly is a leadership crisis, we need to ramp up that education at a rapid pace in order for that crisis to be remedied extraordinarily fast.

Bob: Yeah, so I was teaching at USCI, was teaching corporate governance, strategic management, a few other things. And I tried to get the university to stand up a corporate governance program focused on these issues. And I tried to get some other universities as well. Long story short, I got tired of hitting my head up against that wall.

But when I looked across the global academic community, there were only two universities around the world that were actually teaching governance concepts in digital oversight. It was, it was in Sead. I think it was I. M. D. So they’re both out of Europe. So, we weren’t doing it here in the U.S. And I couldn’t get them to do it. I didn’t want to go through the pain and suffering of that issue. I wanted to solve the problem. So we did it ourselves at DDN. And, that was, that’s kind of step one of a solution in a new domain like this. People don’t have a context or an understanding of the problems.

You have to actually teach them. You have to teach them about why it’s a problem, how it’s a problem. And then you have to define what the solution looks like to move them forward to that solution. So we have over 500 leaders, executives, that have gone through a certification program, and they’re learning about complex systems science. We’re teaching them how to be systems thinkers.

They’re learning about the director framework for understanding systemic risk and complex digital business systems. They’re understanding the Barfo framework, which is a blast radius fallout framework for going from incident to materiality determination. And they’re going back to their companies. And they’re applying this and some very well-known leading companies in North America are using these methodologies and advancing how they deal with these issues. So it’s working, it’s having an effect.

Don: No, it’s great. You actually shared with me your blast radius fallout flowchart. Wonderful opportunity to continue to elevate the conversation on how do we determine what actually needs to be disclosed? What doesn’t need to be disclosed? Not just at the CISO level, but at a board level too. So it’s a wonderful opportunity to continue that education.

Two questions more. One. We’d be remiss to not unpack at a little bit at a small level, artificial intelligence, because as we progress down the path, it is pervasive. It is in the news. It is everywhere. Regulations are being passed. Regulations are being considered. Where do you see an AI play or AI concerns with respect to what we’re talking about?

Not just from the, but overall regulations as it evolves rapidly over the next couple of years.

Bob: It’s, it’s a massive, massive leap forward for the information system. And I wrote an article, I think about 10 years ago about the information supply chain. So information systems are systemic by definition and they’re information supply change. You ingest data, that data gets converted to knowledge and then some action, some automated action downstream.

That’s just now happening on a much grander scale, a much more impactful scale, and a much faster scale. So everything from data privacy throughout that whole process of how those actions have been automated to the cybersecurity issues of, you know, a corruption early in that life cycle that could be magnified throughout the life cycle and create some catastrophic or horrific downstream act is a new world.

That’s a new world for us all, but it’s not a totally new world. It’s a familiar world. It’s just that the impacts and the scale of it is unprecedented. And so I think the good news a little bit is, if we pay attention to it in the right way with the right skills, with the right capabilities, we can understand it.

We can govern it. We can manage it effectively. But we can’t leave that to chance. We can’t play amateur hour with this type of technology at the board level. We’ve got to get the right skills and the right capabilities against it.

Don: Agreed. I think, as we started out this conversation, we’re at the infant stages of these disclosure rules. We’re going to have more AI disclosure rules or some variant there of a regulation. Education, as we talked about, has to be rapid. And fast at the board level, and at the executive level, in order for us to understand what is being thrown at us.

Bob: Yep, and disclosure is an education process. That’s what the SEC wants. The SEC wants to close the information asymmetry between investors and the companies on this issue. So a disclosure regime says, educate your investors about how these technologies are driving value and what it means for their investment. That’s what the SEC is trying to do. So here we are back full circle, right?

Don: That’s wonderful. Last question for you, Bob. What’s on your radar for the future? What’s keeping you up at night?

Bob: Yeah, I think it’s really that that point we talked about before about the board being a functioning control in this system. Everything else will underperform until we fix the leadership gap and the leadership crisis. And it’s from digital to information architecture, to risk communications, to cybersecurity. It’s having a high-performing board as a control in the system.

Some companies are doing that. Some really well known companies from FedEx, GM to Hasbro, and others have figured it out and they’ve transformed how the role of their board within their organizations. Most haven’t. Most are not taking the steps that they need to take to move this issue forward.

And if I was a CEO right now, and I looked across that boardroom and I didn’t see anybody that was a cyber expert, boy, oh, boy, what would I be worried? And I’d say, get somebody in that room. Why are we playing games with this? Cover my backside on this issue. And it’s not just cyber, it’s the broader spectrum of the complex digital business system.

And if I was an investor, I’d be saying the same thing, right? Because this stuff can degrade value from an investor’s perspective very, very rapidly. Very, very quickly.

Don: No, tremendously. We know a lot more conversation at the board level is going to happen. We know a lot more upskilling is going to have to occur and we’re starting to see it already. Bob, appreciate you joining on your radar today and we look forward to having you back and I look forward to speaking to you again in the near future.

Bob: Thanks for having me, Don.

Don: You bet. And for our listeners, Thank you for listening to On Your Radar podcast made possible by the Privacy and Compliance Innovators at Radar First.

Radar First offers SaaS solutions to simplify decision making as mandated by new and changing regulations. You can learn more at RadarFirst.com. If you’d like what you heard today, be sure to follow On Your Radar podcast for upcoming episodes. The next episode will be available next month. Thank you and have a great day.