Quantitative Cyber Risk Management for an IPO: Perform Due Diligence, Build Resilience

December 16, 2020  Jay Soni

At RiskLens, we’ve worked with a number of clients preparing for an IPO with two concerns: First, how to meet regulatory requirements on risk disclosure and, second, how to build resilience and cost-efficacy into their cybersecurity program going forward to handle the increased risk of cyber attack that public-company status brings.

Risk management based on FAIR™, the international standard for quantifying cyber risk in financial terms is exactly the kind of transparent, defensible approach that regulators, underwriters and investors want to see – and the RiskLens platform and services, built on FAIR, enable ongoing risk management that’s data-driven and cost-effective.

Jay Soni is an Enterprise Account Executive for RiskLens

Here are some of the key drivers for cyber due diligence in an IPO and how risk quantification meets the challenges:

Meet SEC Disclosure Requirements

Registration statements and prospectuses must disclose material risks. The Commission made it clear in its  2018 guidance that cyber risk can’t be discussed in loose, qualitative terms but must be expressed in financial terms. In particular, the SEC laid out some disclosure suggestions that exactly line up with FAIR analysis, covering frequency and magnitude of loss events, potential for fines and judgements, etc. The Commission takes non-disclosure of risks seriously—it fined Yahoo and Facebook for not reporting data breaches or data mis-use.

Satisfy Underwriter Due Diligence Process

Underwriters face potential liability for any material misrepresentations or omissions contained in registration statement or prospectus. But they may assert a due diligence defense. Like regulators, underwriters need to know that a risk assessment was conducted following a transparent, standardized model.

Surface Cyber Risks Before the IPO to Avoid Shareholder Lawsuits, Mitigate Director and Officer Liability

The nightmare scenario here: An undiscovered risk blows up to a cyber loss event after an IPO and causes a drop in stock price.  As an article in the  Harvard Law School Forum on Corporate Governance explains, the penalties  for errors and omissions in IPO filings are shareholder lawsuits and lofty insurance premiums:

“The risk that newly public companies and their officers and directors will be sued in securities class actions has never been higher. And the cost of Directors & Officers liability insurance for companies going public has skyrocketed right alongside. One of the principal drivers of this trend is a 2018 decision by United States Supreme Court which opened the floodgates for IPO-related securities lawsuits in state court, which plaintiffs’ lawyers view as much more plaintiff friendly than federal court.” 



RiskLens Top Risks Report

3 Ways RiskLens Assists Pre-IPO Companies with Cyber Risk

The RiskLens software-as-a-service platform offers a series of capabilities to meet the risk disclosure requirements for IPO filings and set a new public company on the right course for resilient cybersecurity risk management. RiskLens consultants will set up and guide the onboarding and data gathering process to meet the tight deadlines of an IPO.

Understand the Risk Landscape with Rapid Risk Assessments

With RiskLens Rapid Risk Assessments, analysts can generate in minutes a ranked list of risks (typically 20-40) by probable loss exposure in dollars, for a clear picture of a pre-IPO company’s risk landscape.

Analyze Top Risks in Detail

For those risks of most concern, the RiskLens platform walks analysts through detailed data gathering to generate reporting on the key drivers that pushed those risks to the top of the list – essentially, a roadmap for where and how to apply controls or other mitigations.

Run Risk Treatment Cost/Benefit Analysis for Top Risks

With the RiskLens Risk Treatment Analysis capability, analysts can model the effect of controls on the risk drivers identified in the Top Risks, for instance, to see if reducing the frequency of attacks or reducing the magnitude of impact from attacks yields the most risk reduction, in financial terms – then compare those results against the cost of controls for true cyber risk cost/benefit analysis. It also assesses the ROI for reducing cyber risk of each option if you are looking to prioritize cost-effectiveness.

Contact us to learn how RiskLens can support your initial public offering with defensible, cost-effective cyber risk management.