A report from The U.S. House of Representatives Committee on Oversight and Government Reform on the Equifax data breach of 2017 recommends that “Federal agencies and the private sector should work together to increase transparency of a company’s cybersecurity risks and steps taken to mitigate such risks.”
For starts, companies need to take seriously the Securities and Exchange Commission’s guidance on disclosing risks that could materially impact the business, the Congressional report says. “Equifax did not disclose any cybersecurity risks or cybersecurity incidents in its SEC filings prior to the 2017 data breach,” the report notes. “Federal agencies, such as the SEC, should continue to encourage the public disclosure of cyber risks to increase awareness of a company’s cybersecurity posture.”
The SEC updated its guidance document on cybersecurity risk earlier this year, and significantly raised the stakes, with a focus on disclosure of ongoing cyber risk management procedures, as opposed to after-the-fact cyber incident reporting in the required filings to the agency by public companies. No longer is it acceptable to merely list “risk factors” described in qualitative terms – the SEC wants to see dollar values as the standard for assessing potentially high-impact risks.
To show some teeth in its enforcement, earlier this year, the SEC settled with Yahoo! for $35 million after accusing the company of concealing its 2013-2014 breach from investors. (The agency has gone after Equifax, but on insider trading charges related to the breach, not disclosure, so far.)
Since Equifax is also a federal government contractor, the Committee added that the case highlights “the need for the federal government to be vigilant in mitigating cybersecurity risk in federal acquisition…There should be a government-wide framework of cybersecurity and data security risk-based requirements.”
While the Oversight Committee report came from the committee’s Republican majority, Democrats issued their own report suggesting a tougher enforcement policy by not just the SEC but the Federal Trade Commission: “Companies that fail to proactively make adequate cybersecurity modernizations and upgrades…could be cited for unfair practices and face significant legal and financial penalties.”
Politics aside, here’s the bottom line: The Committee report is another data point in the movement toward a risk-based, quantified outlook on cybersecurity as the new normal. Add it to the SEC guidance, the statement earlier this year from Gartner that risk quantification should be one of the pillars of integrated risk management, and the reporting from the Wall Street Journal that FAIR, the risk quantification model that powers the RiskLens platform, is “gaining traction”, as signs of the time. Contact us to learn how cyber risk quantification can work for your business.