Expect “intensified application of cyber-risk management expectations by the SEC and other regulatory bodies…This will require organizations to develop processes to continuously quantify and manage their cyber risk exposure.”
That’s the message from Chris Hetner, former Senior Cybersecurity Policy Advisor to the Chairman of the Securities and Exchange Commission (SEC), now Managing Director of Cyber Risk Consulting at Marsh, the international insurance broker and risk management consultant, writing in an article for Marsh, “Ignore the SEC’s Strengthened Stance on Cybersecurity at Your Own Peril.”
Read the article for a quick rundown of the SEC’s cybersecurity risk disclosure rules from 2018 – but also a new sense of urgency to prepare for a stricter regulatory environment to come.
Some of Hetner’s takes:
Pre-incident disclosure: “As technology evolves, an organization’s attack surface expands…Companies are required to set the stage for the quick identification and management of cyber incidents that have a material impact on their business.”
Board oversight: “The days when the board simply wrote a check to cover cybersecurity challenges are over. Instead, it is the board’s responsibility to understand that risk, quantify it, and oversee it.”
Incident disclosure: SEC rules on timely reporting of incidents “requires having structures in place to identify and quantify cyber risk exposure, allowing the organization to rapidly determine whether a cyber breach was, in fact, material.”
Read more of Hetner’s advice on the Marsh website.
The RiskLens Cyber Risk Quantification (CRQ) platform runs on Factor Analysis of Information Risk (FAIR), the international standard for cyber and operational risk quantification, and the de facto standard for public companies seeking to quantify their risk in financial terms to meet regulatory requirements – FAIR is in use at 8 of the Fortune 10 companies, and nearly 30% of Fortune 1000 companies.