Ukraine War and Upcoming SEC Rules Push Boards to Sharpen Cyber Oversight

In many companies, the role of cybersecurity officers was elevated at the start of the Covid-19 pandemic when businesses quickly shifted to remote work and the volume of cyberattacks grew, said Lucia Milica, global resident chief information security officer at cybersecurity firm Proofpoint Inc. 

“It was sort of this ‘a-ha’ moment for a lot of boards,” she said.

In 2023, the U.S. Securities and Exchange Commission is expected to complete a proposal to require companies to disclose details about cybersecurity oversight and attacks, including which board members have security expertise. Those rules are “going to focus a lot on increasing board responsibilities,” said Patrick Gaul, executive director of the National Technology Security Coalition, an advocacy group for chief information security officers, or CISOs.

Businesses have received repeated warnings from U.S. government agencies about risks to companies after Russia’s invasion of Ukraine nearly one year ago. There haven’t been any destructive cyberattacks on American companies disclosed in connection to the war, but many CISOs remain wary, Mr. Gaul said. Members discussed the war during several roundtable discussions the coalition held in 2022, he said. 

Marc Hofmann, chief security officer at Finnish bank

Nordea Bank Abp,

said directors are asking more pointed questions about his work. 

They want to know how the bank might defend against a cyberattack from hackers working for a foreign government, he said. Mr. Hofmann and the board have also discussed hypothetical situations such as whether the bank, which mainly operates in northern Europe, needs satellite phones in case communications go down in a particular country, he said. In the past year, he has interacted with directors more frequently than in prior years, he said.

“There’s a mindshift change going on that nobody would be safe from a nation-state attack,” he said.

The war, along with the hybrid work models that have been put in place at many companies as a result of the pandemic, prompted corporate directors to carefully consider how their companies might be exposed to cyber risks, said Andrea Bonime-Blanc, chief executive of GEC Risk Advisory LLC, a New York-based firm that advises boards and executives about cybersecurity and risk management. 

Board awareness of cybersecurity “was already increasing glacially, but I think the Ukraine war has sharpened the minds,” Ms. Bonime-Blanc said. 

Some boards now rate cyber threats on a par with trade wars and supply-chain problems among risks that could have major impact on companies, said Michael Hilb, a professor of corporate governance at the University of Fribourg in Switzerland.

“This had implications about the whole approach. Planning and predictability has changed, how they budget, how they do strategy, is another indirect effect of the war,” he said.

Still, many large companies don’t have board members with significant cyber expertise. Only 1.9%, or 86 of 4,621, board directors representing S&P 500 companies have held relevant professional cybersecurity roles in the past 10 years, according to a WSJ Pro analysis published in November. 

About 34% of directors don’t believe their boards have enough expertise to properly govern cybersecurity, according to a survey of 312 directors by the National Association of Corporate Directors. 

A communication gap between boards and security chiefs means neither side is as effective as needed to govern cybersecurity, said Yael Nagler, chief executive of Yass Partners, a consulting firm focused on aligning security leadership. 

Directors sometimes fail to understand core threats, Ms. Nagler said. “They’re not shy people but when it comes to cyber, they feel like they’re asking dumb questions,” she said. 

CISOs, in turn, often don’t take time to understand the role of a board and the specific experience and knowledge of their directors, she said. Successful CISOs ask directors what they want to know before meetings and follow up afterwards on whether they got what they expected, she said. 

Security leaders “often wait for permission,” she said. “There just isn’t enough dialogue.” 

Write to Catherine Stupp at catherine.stupp@wsj.com and Kim S. Nash at kim.nash@wsj.com