Risk Management, a publication of the Risk and Insurance Management Society (RIMS) is out with its 2020 Cyberrisk Landscape article, including a prediction by RiskLens Risk Science Director Jack Freund, PhD., in a section on “Shifting Regulatory Focus”.
The regulatory landscape is now heavily land mined with privacy laws – all 50 U.S. states have statutes on the books, with the new California Consumer Privacy Act (CCPA) the most stringent, and enforcement of the EU’s GDPR gaining strength. Recently, Facebook settled a class action suit filed under the Illinois biometric data privacy law over its facial recognition software, with a payment of $550 million. That dwarfed the recent settlement of the Equifax data breach class action suit for $380 million.
“Regulation, or simply standards of practice, will elevate the requirements for Boards of Directors when exercising duty of care with respect to cybersecurity losses,” Jack predicted. “Disclosures around exposure to cyber losses will require more detail, including potential losses and how those losses are covered either through cash reserve, bond or insurance.”
The Securities and Exchange Commission (SEC) has been strongly pointing public companies in that direction since its March, 2018, guidance document asking for disclosure of cyber risk in the same financial terms that’s standard for other business risks, based on quantitative analysis (see our blog post, SEC Tells Public Companies to Up Their Game in Assessing and Disclosing Cyber Risks).
The Commission just renewed that guidance with the OCIE Cybersecurity and Resiliency Observations document that made a number of pointed suggestions for board and senior management involvement in cybersecurity, cyber risk assessments in line with the organization’s business model, and communication within the organization about cybersecurity in businesslike, not technical terms (see our blog post, New SEC Guidance on Cybersecurity for Financial Industry: Tighten Up Governance and Risk Management).
As Jack says, all these trends roll up to the board level and make the case for analyzing and communicating cyber risk from the point of view of quantifiable loss events – the purpose of the RiskLens platform, based on the FAIR™ standard for cyber risk quantification. With RiskLens and FAIR, risk teams can answer the questions the board needs answered to fulfill its duty of care obligations, such as:
- How much risk do we have?
- What are our top risks?
- Are we spending too much or too little?
To learn more about board reporting with the RiskLens platform, contact us.
Read the complete Risk Management article: 2020 Cyberrisk Landscape