Congressional Cyberspace Solarium Commission Recommends Tougher Cyber Risk Oversight by SEC, Better Risk Models for Insurance

March 13, 2020  Jeff B. Copeland

The Cyberspace Solarium Commission, a bipartisan group of lawmakers plus cybersecurity experts from academia and business, just released 75 recommendations for a government-led “layered defense” against nation-state and cybercriminal threat actors that seek to “destroy private lives, disrupt critical infrastructure, and damage our economic and democratic institutions.”

The recommendations are wide-ranging, and worth reading through, but private-sector CISOs would do well in particular to check out Pillar 4, “Reshape the Cyber Ecosystem toward Greater Security” covering financial regulation and insurance,-- also to see a hopeful sign in the Commission’s call for a government-private sector partnership to develop better data and metrics for cyber risk analysis.

Recommendation: Amend the Sarbanes-Oxley Act to Include Cybersecurity Reporting Requirements

“Cyber risk is business risk,” the report states, and it builds on the 2018 guidance from the SEC that public companies “may be obligated” to disclose cyber risks under Sarbanes-Oxley, to ask that the law be amended to explicitly account for cybersecurity, including:

  • Specifying the metrics and records to be kept for risk assessments, determinations and decisions.
  • Mandating that public companies maintain records of cyber risk assessments “so that a full evaluation of cybersecurity risks can be judged in acquisition or in legal or regulatory action.”
  • Requiring that management assess and attest to information risk management plans.

The SEC has already made clear in its 2018 guidance that, when it comes to metrics, it wants to see cyber risk reported in the same financial terms as standard for other business risks, not the vague, qualitative risk statements that have been too often the norm in cybersecurity. This Solarium recommendation would effectively make cyber risk quantification the law for public companies.

Recommendation:  Resource a Federally Funded Research and Development Center to Develop Cybersecurity Insurance Certifications

The Commission found a “fundamental lack of clarity about what security measures are effective in reducing risk.” In particular,  the insurance industry should play an “important role in identifying risk management standards” but is “failing to deliver,” the report says, because of an inability to “understand and price risk,” leading to an “opaque environment” for companies looking to buy cyber risk insurance.

The Commission recommends a new federal center to “develop models for underwriter and claims adjuster training and certification” for cyber risk insurance, with the goal of influencing the state regulators of insurance.

Recommendation: Establish a Public-Private Partnership on Modeling Cyber Risk

In the clearest policy direction yet that points the way to modeling and pricing cyber risk in quantified, financial terms, the Commission recommends “The executive branch should establish a public-private working group at DHS to convene insurance companies and cyber risk modeling companies to collaborate in pooling and leveraging available statistics and data that can inform innovations in cyber risk modeling.”

As the leader in cyber risk modeling and the only enterprise level software platform purpose-built on Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, RiskLens is already out in front serving companies in

  • SEC reporting on cyber risk disclosure
  • Pricing and prioritizing among cyber risks to inform insurance purchase
And, as the leading advocates for the FAIR Model for cyber risk, we'd be happy to spread the good word about FAIR to any public-private partnership that comes along.