Apr. 30, 2022
I have 15 years of experience in information technology and security, specializing in policy management. I support the required disclosure of registrants cybersecurity governance structure, including oversight, management, policies, and strategies. Regarding question #17: Wording should more strongly state management and the CISOs role in defining, establishing, and communicating cybersecurity policies and strategies, rather than just implementing them. In my experience too often organizations assign cybersecurity policy development as a task to be completed by an analyst left to a silo to develop documentation that checks the box for audit or legal compliance. The policies are then developed without input or collaboration from the larger security function or the broader organization. With the implementation of this rule I would foresee an avalanche of new services and templates offering to check the box with templates that define generic policies and procedures that do not consider the unique characteristics of the organizational environment or industry. When policy management is done well in an organization it involves management actively defining and communicating the approach and expectations through collaboration across the organization including key partners in IT, human resources, operations, risk, etc. I would also suggest reconsideration of including a reference to procedures (i.e. Describe managements role in assessing and managing cybersecurity related risks, as well as its role in implementing the registrants cybersecurity policies, procedures, and strategies.) Procedures can exist at many levels - they can be high-level descriptions of the steps taken and tools used or they can be granular step-by-step documents that can be followed to the letter to implement a policy. Given the openness of that meaning I believe use of the term procedure would be ripe for misinterpretation and could lead to burdensome, low-value documentation exercises. Organizations will inevitably require procedures, processes, and tooling for fulfillment of their defined policies and strategies. Excluding procedures from the rule would give organizations flexibility in defining procedures in a way that works for the organization. In addition, while 106(b) calls for the review of policies post-incident, there is no statement given clarifying that policies and strategies should be reviewed regularly as a result of risk management activities, including the consideration of changes in threats and vulnerabilities, business strategy, and operational drivers. Again to avoid the risk of this requirement being enacted with a once and done approach using templates that are not scoped to the environment or industry, the rule should clarify that the policy and strategy management process is ongoing as a result of risk assessment, business activities, etc. Disclosures of policies and strategies should also include identification of the countries where cybersecurity functions are being performed and what those functions are. Investors have a right to know if a company they are considering investing in is performing their critical cybersecurity functions in countries that are identified by CISA as nation state cyber threats.