It’s been nearly a year since the Securities and Exchange Commission (SEC) issued its “Guidance on Public Company Cybersecurity Disclosures” that shook up cyber risk reporting for US public companies.
The SEC redefined what it wants to see in filings to go beyond just disclosing cyber attack incidents—the regulators now want proactive reporting in financial terms about cyber risks of potential material impact.
In a recent edition of The Wall Street Journal’s Cybersecurity Pro newsletter (subscription required), Kim S. Nash writes “Adherence to the SEC’s, shall we say, aggressive encouragement of disclosure has been uneven.
“Reading the proxy statements of some firms in the S&P 500, one might surmise that cyber threats don’t exist. They have said nothing about the risk in their filings.”
Nash does write that “oversight by boards and senior leaders has improved in the past year or so, with directors educating themselves about cybersecurity,” particularly as a reaction to highly publicized data breaches and ransomware incidents at big companies.
The SEC guidance specifically called for disclosure on board oversight regarding information risk. Nash cites these stats that suggest slow progress.
- Only about half of directors think they understand cyber risks enough to provide effective oversight, according to a survey by the National Association of Corporate Directors.
- Just a quarter of S&P 500 companies disclosed in proxy filings that they have at least one director with cybersecurity skill.
- Only three of the S&P 500 operate a standalone board committee dedicated to cybersecurity.
“Things are better than they were but there’s still a long way to go,” Nash concludes.
Boards and senior management should assume the SEC will only ratchet up cybersecurity oversight. Late last year, the Commission fined Voya Financial Advisors $1 million for lax cybersecurity controls and the SEC Office of Compliance Inspections and Examinations said recently that an enforcement priority for 2019 would be cybersecurity at investment companies and other financial institutions.
The RiskLens cyber risk quantification platform runs on the FAIR model, the only internationally recognized standard for analyzing inforisk in financial terms. Large, sophisticated public companies are rapidly moving to FAIR to meet regulatory disclosure requirements. Evidence: membership in the educational FAIR Institute includes risk analysts and executives from eight of the Fortune 10 and about 30% of the Fortune 1000 companies.
According the SEC, disclosures should cover these elements – the RiskLens platform handles data collection and analysis for each:
- Frequency of cyber events, based on past experience
- Probability and magnitude of incidents (costs, in financial terms)
- Adequacy of controls (Learn more: How IT Auditors Evaluate the Effectiveness of Controls with Risk Quantification)
- Third party suppliers that might create material risks
- Amount of insurance coverage (Learn more: How Much Cyber Insurance Do We Need?)
- Potential reputational harm
- Potential fines and judgements from cybersecurity incidents (Learn more: Understanding Secondary Losses in a Data Breach)
Contact us to learn how RiskLens can help with your public filings for cyber risk disclosure.