GUEST ESSAY: New SEC rules aim to help C-levels, board members quantify cyber risks

By Nick Sanna

The U.S. Securities and Exchange Commission (SEC) is taking steps to crack down on insufficient cyber risk reporting.

Related: Making third-party risk audits actionable

Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”

Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.

The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.

This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.

Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to business executives and boards of directors.

Here’s a breakdown of three rule amendments the SEC has proposed:

•Reporting cyber incidents in timely manner. Organizations will have four days to determine the incident that posed a risk and report these to the SEC. However, this functions on the assumption that the organization had previously compiled their loss data and run an analysis to determine financial impact.

•Reporting on ongoing and effects of cyber incidents. Organizations  will be required to update the impact previously disclosed. This suggests that organizations have the capability to aggregate cyber risk scenarios in financial terms and run a current quantitative cyber risk program, such as those based on FAIR.

•Disclosing policies and procedures for risk management. This amendment raises the curtain on policies and procedures for identifying and managing cybersecurity risks. This puts the onus on organizations to demonstrate cyber risk management practices.

Fostering understanding

The proposed amendments add onto existing rules, including requiring companies to disclose how they have been affected by cyber incidents financially. With the increased threat landscape and a surge of public and private sector attacks, stakeholders more urgently need to understand the risk.

Increasingly, cyber risk is seen as business risk, emphasizing the importance of quantifying it in a way that C-level executives and boards of directors can understand and analyze. Reporting cyber risk in financial terms is the most efficient, accurate, and compliant way forward. Based on the new amendments, security teams must rapidly and efficiently report any cyber incidents to boards and the SEC. With this in mind, how can they best do so? 

Vital to required reporting is being transparent about cyber risk: what is a company’s potential loss to the most significant cyber events? For business executives and boards of directors to assess the materiality of events that need to be disclosed, cyber loss exposure needs to be measured in financial terms, dollars and cents.

Implementing the FAIR standard not only provides a transparent approach to estimating cyber risk financially, but also complements major cybersecurity frameworks – including NIST CSF – that only provide a qualitative view of the state of security implementations.Tools now based on FAIR allow organizations to assess and report on cyber risk at scale.

Industry Benchmarking

Sanna

To assess cyber risk posture in context, many boards like to benchmark cyber loss exposure against industry peers. This helps assess whether their company is more effective in dealing with cyber threats than peers and determine if more cybersecurity investments are needed.

Organizations can use cyber risk benchmark solutions based on empirical data that show average loss exposure experienced by companies in similar sectors and similar size, and compare it against their own risk assessments.

Quantitative cyber risk management programs based on standards such as FAIR also allow organizations to demonstrate cybersecurity investment adequacy, another SEC guidance element. This can be accomplished by analyzing and reporting on cybersecurity initiative effectiveness in driving cyber risk to acceptable levels.

Ultimately, all organizations must maintain vigilance when it comes to cybersecurity. Cyber risk constantly evolves, and, being targeted is no longer a matter of if but when. It is vital for organizations to follow SEC recommendations when it comes to reporting material risks and maintaining robust quantitative cyber risk management programs.  A plan should be in place for organizations to effectively mitigate cyber loss exposure to the most likely cyber events.

About the essayist: Nick Sanna is president of the FAIR Institute, a non-profit expert organization dedicated to advancing the discipline of measuring and managing information and operational risk. Sanna also is president and CEO of RiskLens, which supplies cyber risk quantification services.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone