The OCIE Cybersecurity and Resiliency Observations document says “effective cybersecurity programs start with the right tone at the top with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.”
Specifically, the OCIE recommends this checklist:
This checklist closely follows the roadmap set by the SEC’s guidance of March, 2018 (see our blog post SEC Tells Public Companies to Up Their Game in Assessing and Disclosing Cyber Risks) though that document had a different focus: cyber risk reporting in disclosures by public companies. The SEC’s message then was that cyber risk must be reported in the same financial terms as is standard for other business risks – no more vague, qualitative statements that had been the norm in cybersecurity.
The 2018 guidance strongly pointed public companies to quantitative analysis of cyber risk to meet new stringent requirements – as does this latest messaging from the SEC aimed at brokers and other managers of money.
With a quantitative, financial basis for understanding cybersecurity, organizations can engage senior leadership in the non-technical terms they understand… perform risk assessments that align with the organization’s business model… set policies and procedures that include tangible goals, for instance based on risk appetite defined in financial terms… test and adapt with rapid triaging of risks, enabled by financial analysis…and clearly communicate cyber risk in business terms – as this latest messaging from the SEC and the 2018 guidance recommend.
Some background: The OCIE has been particularly concerned about the rapid movement of the investments industry to the cloud – see their 2019 Risk Alert on network storage of customer records. For our outlook on the problem, see this blog post: Three Steps to Evaluate Security Risks of Cloud Migration.
The RiskLens platform, operationalizing the international standard model for quantitative cyber risk analytics, the FAIR model, is in use at many of the largest, global financial institutions for analysis and reporting to decision makers, stakeholders, investors and regulators. Contact us to learn more.