How CRQ can Help with the SEC Proposed Cybersecurity Disclosures Rules
CYBER SECURITY AND THE NEW SEC REQUIREMENT
The Securities and Exchange Commission (SEC) recently proposed new regulations that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. This is currently a rare skillset within the ranks of most corporate boards, not just in the U.S. but worldwide. This begs the question, why is cybersecurity professional board director information such a big deal? Aren't these professionals already disclosed through their company annual reports? The simple answer is no — or not yet, in most cases. World Economic Forum, in a recent report, argued to consider cybersecurity as an environmental, social and governance issue. As per the report, “Cyber risk is the most immediate and financially material sustainability risk that organizations face today. Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable. This, in turn, has an impact on the other organizations they rely on, and ultimately on the stability of companies, communities and governments”.
The SEC is not establishing any new standards for cybersecurity preparedness, instead, it is proposing rules for companies to report their cybersecurity capabilities and risk assessments to investors in an easy-to-understand manner and make the board accountable. The goal is to standardize disclosures of cybersecurity incidents and improve visibility into a company’s cybersecurity risk management and governance policies to better inform investors. The SEC proposed rules would require companies to provide:
- Current reporting about cybersecurity incidents
- Periodic updates about previously reported cybersecurity incidents
- Periodic reporting about policies and procedures to identify and manage cybersecurity risks
- The Board of directors oversight of cybersecurity risk management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.
- Annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
Most organizations lack a clear and defined way to report their cybersecurity posture and cyber risk to their own boards. And many boards do not manage cyber risk as a part of the overall business strategy. The SEC’s proposed reporting rules are a forcing mechanism for organizations that have not taken cyber security seriously and elevates risk management, reporting and oversight to a mission-critical priority for senior executives and boards.
FINANCIAL QUANTIFICATION OF RISK
Chief Information Security Officers (CISOs) face unprecedented pressures to defend against ransomware, data breaches and evolving cyber threats and answer to the board on how a cyber event could impact the business in a language that the board understands. The CISOs new role is to be a strategic advisor – clearly understanding the business value of security investments with the ability to explain to the board in business terms the real-world ramifications of a cybersecurity incident.
With a new regulatory push from the SEC intended to elevate cybersecurity risk management practices across industries, companies will need a streamlined and reliable way to translate their security posture into financial terms.
Now that management and the board of directors are required to report on their roles in assessing and managing cyber risks, they will rely on the CISO, Chief Risk Officer and Security leaders to provide visibility into cyber risks along with current data, ongoing metrics, and reporting. It is time to get serious about addressing cyber risk and cyber risk quantification is the technology that can help meet the SEC guidelines.
Alfahive helps CISOs and Risk Managers measure cyber risk from a financial and business perspective so they can confidently speak to the C-Suite to balance cyber risk with business initiatives and build effective security programs.
RiskNest is the first Cyber Risk Quantification (CRQ) platform built on the Open Factor Analysis of Information Risk (FAIR™) standard and enhanced with industry-specific attack activity, financial loss data and business context to provide a holistic view of cyber risk by business functions and enterprise-wide.
Quantifying cyber risk empowers business leaders to make risk-intelligent decisions. By understanding your organization’s highest risk, it is easy for a CISO to gain consensus on which controls are most relevant, which gaps must be closed and which investments are critical.
DRIVE BUSINESS ACTION WITH CRQ
Cyber Risk Quantification helps CISOs and Chief Risk Officers measure the effectiveness of cybersecurity programs, assess the potential risk reduction for future cybersecurity investments, and form a solid risk transfer strategy, such as implementing additional security controls or purchasing cybersecurity insurance.
Most importantly cyber risk quantification can help your organization make better risk management decisions including:
Prioritize cybersecurity investments: CISOs can prioritize and justify cybersecurity investments based on business impacts and risk reduction.
Optimize cyber security programs: CRQ helps to measure the effectiveness of a cybersecurity program based on potential risk mitigation actions.
Benchmark cyber risk exposure: CRQ allows you to compare the financial risk of global offices or subsidiaries and business units for a more holistic view of cyber risk.
The newly proposed SEC reporting rules would require companies to disclose cybersecurity risks and incidents and outline the process and frequency by which the Board is informed about cybersecurity risks. In addition, companies would need to be able to demonstrate how the Board considers cybersecurity risks as part of its risk management, business strategy and financial oversight.
Alfahive cyber risk quantification platform removes technical jargon and measures cyber risk from a financial and business perspective – a totally new concept that makes it easy to prioritize security investments, drive urgency around risk mitigation, and connect the security big picture to day-to-day business operations. Alfahive helps board members understand their organization’s cyber risk environment and the real-world ramifications of a cybersecurity incident whether they have a technical background or not. We help leadership teams and the board make better risk management decisions so they can feel confident in their cyber security policies and procedures and the business value of security investments.